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Preface 



Foreword from the Program Chairs 

These proceedings contain the papers selected for presentation at the 9th Eu- 
ropean Symposium on Research in Computer Security (ESORICS) , held during 
September 13-15, 2004 in Sophia Antipolis, France. 

In response to the call for papers 159 papers were submitted to the conference. 
These papers were evaluated on the basis of their significance, novelty, and tech- 
nical quality. Each paper was reviewed by at least three members of the program 
committee. The program committee meeting was held electronically; there was 
an intensive discussion over a period of two weeks. Of the papers submitted, 27 
were selected for presentation at the conference, giving an acceptance rate lower 
than 17%. The conference program also included an invited talk. 

A workshop like this does not just happen; it depends on the volunteer efforts of 
a host of individuals. There is a long list of people who volunteered their time and 
energy to put together the workshop and who deserve special thanks. Thanks to 
all the members of the program committee, and the external reviewers, for all 
their hard work in the paper evaluation. Due to the large number of submissions 
the program committee members were really required to work hard in a short 
time frame, and we are very thankful to them for the commitment they showed 
with their active participation in the electronic discussion. We are also very 
grateful to all those people whose work ensured a smooth organization process: 
Refik Molva, who served as the General Chair, Marc Dacier, the Sponsoring 
Chair, Yves Roudier, who served as the Publicity Chair and maintained the Web 
pages, Sabrina de Capitani di Vimercati, who helped in the review process, Dieter 
Gollmann, who served as the Publication Chair and collated this volume, and 
Anne Duflos and Laurence Grammare for helping with the local arrangements. 

Last, but certainly not least, our thanks go to all the authors who submitted 
papers and all the attendees. We hope you find the program stimulating. 



Peter Ryan and Pierangela Samarati 
(Program Co-chairs) 
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Foreword from the General Chair 

Initially established as the European conference in research on computer secu- 
rity, ESORICS has reached the status of a main international event gathering 
researchers from all over the world. Taking place in a different European country 
every other year during its first seven occurrences, it has been a yearly conference 
since 2003. 

ESORICS 2004 was organized by the Institut EURECOM and took place in 
Sophia Antipolis, France, September 13-15, 2004. 

The organization of such an important event required a major effort and we wish 
to express our sincere appreciation to the organization committee members for 
their excellent work. 

We would like to express our special appreciation to the Program Chairs 
Pierangela Samarati and Peter Ryan for coming up with a high-quality tech- 
nical program that was the result of a complex evaluation process they handled 
very smoothly. 

We are also indebted to the Institut EURECOM who not only allowed us and 
other organization committee members to dedicate considerable time and energy 
to the organization of this event, but also provided logistic and financial support 
to host it. 



Sophia Antipolis, September 2004 
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Incorporating Dynamic Constraints 
in the Flexible Authorization Framework 



Shiping Chen, Duminda Wijesekera, and Sushil Jajodia 

Center for Secure Information Systems, George Mason University, 
Fairfax, VA 22030-4444, USA 
{schen3 ,dwi jesek, jajodia}@gmu. edu 



Abstract. Constraints are an integral part of access control policies. De- 
pending upon their time of enforcement, they are categorized as static 
or dynamic; static constraints are enforced during the policy compilation 
time, and the dynamic constraints are enforced during run time. While 
there are several logic-based access control policy frameworks, they have 
a limited power in expressing and enforcing constraints (especially the 
dynamic constraints). We propose dynFAF, a constraint logic program- 
ming based approach for expressing and enforcing constraints. To make 
it more concrete, we present our approach as an extension to the flexi- 
ble authorization framework (FAF) of Jajodia et al. [17]. We show that 
dynFAF satisfies standard safety and liveliness properties of a safety 
conscious software system. 



1 Introduction 

Constraints are a powerful mechanism for specifying high-level organizational 
policies [21]. Accordingly, most access control policies contain constraints, usu- 
ally categorized as static or dynamic, referring to their time of enforcement by 
the access controller. As examples, consider the following two constraints: an 
undergraduate student should not he permitted to grade qualifying examinations 
at the PhD level, and an author should not be allowed to review his/her own 
manuscript. The first constraint can be enforced by prohibiting grading permis- 
sions on PhD examinations for every undergraduate student, thereby making 
it statically enforceable. The second constraint requires an access controller to 
evaluate if the requesting subject is also an author of the document to be re- 
viewed when the request is made. This constraint cannot be evaluated prior to 
the request, making the constraint dynamically, but not statically, enforceable. 
Enforcing the latter kind of constraints over access permissions expressed as 
Horn clauses is the subject matter of this paper. 

The past decade has seen several logic based flexible access control policy 
specification frameworks. Woo and Lam [25] propose the use of defaidt. logic for 
representing access control policies. To overcome the problems of undecidability 
and non-implementability that arise in Woo and Lam’s approach, Jajodia et 
al. [17] propose an access control policy specification framework (FAF) based 
on a restricted class of logic programs, viz., those that are locally stratifiable. 
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Bertino et al.’s framework [6] uses C-Datalog to express various access control 
policies [6]. Barker and Stuckey use constraint logic programming for multi-policy 
specification and implementation [4]. 

Although they are powerful in expressing access control policies, these frame- 
works have a limited power in specifying and enforcing constraints. For instance, 
Jajodia et al. [17] use an integrity rule (a logic rule with an error() head) to 
specify constraints. Barker and Stuckey [4] define some special consistency check- 
ing rules (with head of predicates inconsistentssd, inconsistent-dsd) to encode 
the separation of duty constraints. However, the enforcement of the constraints 
is left outside the framework; as a result, dynamic constraints cannot be enforced 
in the access control engine properly. 

To overcome these drawbacks, we propose a constraint logic programming 
based approach to express and enforce dynamic constraints. To make it more 
concrete, we present our approach as an extension to Flexible Authorization 
Framework (FAF) proposed by Jajodia et al. [17]. Our approach is applicable to 
other logic based access control frameworks because our constraint specification 
and enforcement modules are built on top of the existing framework modules. 
The proposed extension, called dynFAF , has two extra modules. First module, 
the integrity constraint specification and derivation module (ISM), is responsible 
for specifying the atomic conflicts and deriving all possible complex conflicts 
in the system that represent the constraints. The second module, the dynamic 
access grant module (DAM), is responsible for enforcing the constraints specified 
by ISM dynamically. In addition, DAM allows subjects to relinquish permissions 
that were granted to them. In our design, FAF composes the static component, 
and ISM and DAM compose the dynamic component of dynFAF. 

We show that dynFAF satisfies safety and liveliness properties granting any 
access that does not violate derivable constraint, and denying those that do. 
Because FAF policies are stratified logic programs, they have a stable model 
semantics [14]. Our constraint specification policies taken together with FAF 
policies also have a local stratification, thereby admitting a stable model that 
extends the former. In addition, proposed dynamic access grant module enriches 
the syntax of the former by having yet another layer of constrained logic pro- 
grams, that taken as a whole extends the former local stratification. Therefore, 
a dynFAF specification admits a well-founded model in which some predicate 
may result in an undefined truth in addition to the usual true or false values; 
however, our design ensures that any access requested of dynFAF returns only 
true or false. 

The remainder of the paper is structured as follows. Section 2 contains a 
brief overview of FAF, followed by a description of its limitations. Section 3 
presents the architecture of dynFAF, including the descriptions of ISM and DAM 
modules. Section 4 presents the semantics of dynFAF syntax. Section 5 shows 
that dynFAF satisfies the traditional safety and liveliness properties, and that the 
semantics of the granting and relinquishing access rights are enforced properly. 
Section 6 compares our work to those of others. Section 7 concludes the paper. 
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Fig. 1 . dynFAF Architecture 



2 Overview of FAF 

FAF [17] is a logic-based framework to specify authorizations in the form of 
rules, based on four stages ( each stage corresponds to a module) that are ap- 
plied in a sequence, as shown in FAF Architecture part of Figure 1. In the first 
stage of the sequence, some basic facts such as authorization subject and ob- 
ject hierarchies (for example directory structures) and a set of authorizations 
along with rules to derive additional authorizations are given. The intent of this 
stage is to specify basic authorizations and use structural properties to derive 
new authorizations. Hence, they are called specification and propagation poli- 
cies. Although propagation policies are flexible and expressive, they may result 
in over- specification resulting in conflicting authorizations. FAF uses conflict res- 
olution policies to weed out these in the second stage. At the third stage, decision 
policies are applied in order to ensure the completeness of authorizations. The 
last stage consists of checking for integrity constraints, where all authorizations 
that violate integrity constraints will be denied. In addition, FAF ensures that 
every access request is either granted or rejected, thereby providing a built-in 
completeness property. 

FAF syntax consists of terms that are built from constants and variables (no 
function symbols) and they belong to four sorts, viz., subjects, objects, actions, 
and roles. We use the capital letters with subscripts such as X s , Y a , X a , and X r 
to denote the respective variables belonging to them, and lower case letters such 
as s, a, o, and r for constants. FAF has the following predicates: 

1. A ternary predicate cando(s, o, a), representing grantable or deniable re- 
quests (depending on the sign associated with the action) where s, o, and a 
are subject, object, and signed action terms, respectively. 

2. A ternary predicate dercando(s, o, a), with the same arguments as cando. 
The predicate dercando represents authorizations derived by the system 
using inference rules modus ponens plus rule of stratified negation [2] . 

3. A ternary predicate do, with the same arguments as cando, representing the 
access control decisions made by FAF. 

4. A 4-ary predicate done(s, o, a, t), meaning subject s has executed action a 
on object o at time t, t is a natural number. 

5. Two binary predicate symbols overAS and overAO, each taking two subject 
and object terms as arguments two object terms respectively. 





4 



Shiping Chen, Duminda Wijesekera, and Susliil Jajodia 



6. A predicate symbol without argument, error, symbolizing violation of an 
integrity constraint, where a rule with an error head must not have a sat- 
isfiable body. 

7. Other terms and predicates necessary to model specific applications. For 
example, constants AOH, ASH denote object and subject hierarchies with 
in, where in(x,y,H) denotes that x < y in hierarchy H. For example, we 
denote the fact that usr\local is below usr in the object hierarchy AOH by 

in(usr\local , usr, AOH). 

Because any FAF specification is a locally stratified logic program, it has a 
unique stable model [14], and a well-founded model (as in Gelfond and Lifshitz). 
In addition, the well-founded model coincides with the unique stable model [3, 
17]. Furthermore, the unique stable model can be computed in quadratic time 
data complexity [24]. See [17] for details. 



2.1 Limitations of FAF 

In its current design, FAF has these limitations. First, FAF expresses constraints 
using integrity rules of the kind error]) <— Li,...,L n where error is an 
argument-less predicate that should not be valid in any model and Li, ... , L n are 
other literals. Ensuring that granted permissions do not imply error is enforced 
outside of the logical machinery of FAF. Accordingly, it is not within the logical 
inference engine of FAF to avoid constraint violations. To elaborate further, FAF 
evaluates an access request as a query ?do(s, o, a), and ensures the completeness 
and consistency of the specification, consisting of the rules from the first three 
modules, by ensuring that one and only one of do(s,o, +a) or do(s,o, — a) eval- 
uates to true. However, it is possible that both (s, o, +a) and (s,o, — a) could 
be rejected by the integrity enforcement module making the eventual outcomes 
incomplete, as the inference rules are unaware of rejections by the integrity en- 
forcement module. Thus, the integrity enforcement needs to be brought inside 
the reasoning engine, as done in dynFAF. 

Second, FAF does not allow constraint derivation, although this occurs in 
practice. For example, role based access control (RBAC) models have conflict- 
ing roles (say, rq and rg) where a single subject assuming them simultaneously 
violate the policy. In addition, an application may want to declare junior roles 
of conflicting roles to be conflicting. That is, if roles r 3 ,r 4 are junior to roles rq 
and r 2 , respectively, by satisfying the constrains r 3 < rq and r 4 < r 2 , then no 
subject should be allowed to assume r 3 and r 4 simultaneously. Our extension 
facilitates constraint derivation. 

Third, in FAF each access request is either granted or denied on its own 
merit. But some applications may want controlled (don’t care) nondeterminism. 
For example, a subject is allowed to assume role rq or role 7 * 2 , but not both, 
with no preference for either. If we are to accept a unique stable model, then 
either rq or r 2 , but not both can be assumed by the subject. dynFAF facilitates 
controlled nondeterminism in granting permissions. 
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Finally, and importantly, FAF does not consider an evolving access control 
system. That is, if do (o, s, +a) is in the stable model of an authorization specifica- 
tion, the access request ( o , s, a) is always permitted. In practice, an authorization 
may be relinquished by the user or the administrator some time after it is autho- 
rized (e.g., in workflow management systems). Consequently, some authorization 
that is not allowed at a point of time because of constraints restriction may be 
allowed later if the conflicting authorizations are relinquished. Notice that in- 
serting a negative authorization cando(o, s, — a ) does not model this situation. 
The soon to be described dynamic access grant module of dynFAF provides this 
functionality. 

3 dynFAF: A Constraint Logic Programming 
Based Extension to FAF 

To address the problems described in the previous section, FAF is enhanced by 
adding an integrity constraint specification and derivation module (ISM) and a 
dynamic access grant module (DAM), grants accesses that avoid those conflicts. 
FAF enhanced with these two modules are referred to as dynFAF, shown in 
Figure 1. An access request for (s,o,a) is modeled in dynFAF as a predicate 
instance request(s, o, ±a, t), where (s, o, +a, t) is a request to obtain permission 
for ( s,o,a ) at time t (equals to a query ?grant(s,o,a,t)) and (s,o, — a, t) is a 
request to relinquish already existing permission for (s, o, a) at time t. (equals to 
a query ?relinquish(s,o,a,t)). dynFAF ensures that any request for permission 
is statically granted by FAF, and granting it does not violate any constraints 
specified by ISM. 

3.1 Integrity Constraint Specification 
and Derivation Module (ISM) 

ISM uses two predicates: 

— A binary predicate symbol, conflict, where conf lict(x,y) is an atomic 
conflict where x and y can be either (subject, object, action) triples or object, 
action, or subject terms. 

— A binary predicate symbol derConflict. derConflict has the same argu- 
ments as conflict. derConf lict(x,y) is true iff x,y constitute a derivable 
conflict. 

We use Horn clause rules to specify atomic conflicts and derivable conflicts 
based on already defined atomic conflicts. The corresponding rules are called 
conflict rules and conflict derivation rules, respectively. Each conflict rule has a 
conflict predicate as its head and some cando, dercando, done or rel-literals 
as its body. 
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Example 1 (Conflict Rules) 

conf lict(n, rf) *— (1) 

conflict (orgA, orgs) <— (2) 

conf lict((o, a), (o', a)) <— isPerm(o, a), isPerm(e/, a). (3) 

conflict((A' s , A' 0 , X a ), (X' s , X a , X a )) «- (A s ^ X' s ), in(A s , G, ASH), 

in(A(, G, ASH). (4) 



Rule 1 says that r\ and V 2 are conflicting roles. Rule 2 says that orgA and orgs 
are conflicting organizations. Ride 3 says that ( o,a ) and (o', a') are conflicting 
permissions. Here the predicate isPerm (x.y) is true if x is an object and y is 
an action. Ride 4 says that any two users in group G trying to execute the same 
operation on the same object is a conflict (i.e., only one subject can have the 
permission at any one time such as a semaphore). 

Each conflict derivation rule has a derConflict predicate as its head and 
some conflict, derConflict, cando, dercando, done, or rel-literals as its 
body. As it is used recursively, all appearances of derConflict literals in the 
body of conflict derivation rules must be positive. Example 2 shows some conflict 



derivation rules. 

Example 2 (Conflict Derivation Rules) 

derConf lict(A, Y) <— conf lict(A, Y). (5) 

derConf lict(AV, Y r ) <— derConf lict(A' r ' , Y r i), 

in(Y r , Y r i , ASH), in(A r , X r , , ASH) . (6) 

derConflict ((A s , A 0 , A a ), (A s , A', A')) <— 

conf lict((A' 0 , A' a ), (X' a , X' a )). (7) 

derConf lict(A' 0 , Y 0 ) <— derConf lict(orgiA, orgs), 
in(Y 0 , orgs), in(A' 0 , org A ). (8) 

derConflict((A' s , A 0 , read), (A s , X' a , read)) <— derConf lict(A' 0 , A'^). (9) 

derConf lict(( A„, X r , activate), (A s , Y r , activate)) <— conf lict(A r , Y r ). (10) 



Rule 5 says that every conflict is a derivable conflict. Rule 6 says roles junior 
to conflicting roles are also conflicting. Rule 7 says that obtaining conflicting 
permissions leads to a conflict. Rule 8 and rule 9 say that any pair of objects that 
belong to two conflicting organizations are conflicting objects, and each subject 
can read only one of them. Rule 10 says activating conflicting roles leads to 
conflicts. 

Note that the conflicts specified in FAF and ISM are different. The former, 
refers to static compile time conflict, arises out of over specification of permis- 
sions, and the latter arises due to application specified conflicts that have to be 
resolved dynamically by the run time constraint enforcement module DAM. We 
have chosen to represent only binary conflicts as integrity constraints, inspired 
by the work such as [16, 5, 20, 15, 19, 20], where most constraints are binary con- 
flicts. 
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3.2 The Dynamic Access Grant Module (DAM) 

As stated earlier, the dynamic access grant module first checks if a requested 
permission (s, o, +a, t) is permissible under static FAF policies (by checking if 
do(s, o, +a) is true). If so, then it will further check if granting (s, o, a) at time t 
would violate any integrity constraints specified in ISM. If the answer is negative, 
the requested granted and denied otherwise. DAM is based on some assumptions 
and design choices outlined below. 

First, DAM allows requesters to relinquish already granted access rights. Sup- 
pose dynFAF granted access request (s, o, a), and after some time the requester 
s is willing to relinquish the access right (s,o,a). This kind of actions is widely 
seen in practical systems, (e.g., in workflow management systems) dynFAF al- 
lows this kind of actions by modeling it as a query of ?relinquish(s, o, a, t) with 
an insertion of request(s, o, —a, t) into the authorization specification program. 
Similarly, relinquishes, o, a, t) has no effect on do(s, o, ±a) and, therefore, does 
not alter the unique stable model of the static FAF policy (sans the error rules). 

Second, we assume that access requests are considered in sequence, one at a 
time, at discrete time intervals, referred to as the synchrony hypothesis, under 
which dynFAF accepts only two kinds of requests: to obtain a new permission 
or to relinquish a permission obtained earlier. They are modelled as inserting 
instances of request(s, o, +a, t) and request(s, o, —a, t) into the logic program, 
respectively. dynFAF’s answer to requests are computed as an evaluation of 
grant (s,o,a,t) or relinquishes, o, a, t), depending upon the chosen sign ± for 
the action a in request(s,o, ±a, t). 

Third, we assume that neither grant(s, o, a, t) nor relinquishes, o, a, t) im- 
plies or is implied by done(s, o, a, t) for some time term t. We only assume that 
whenever an ( o,a ) is executed by s at a time t, don e(s, o, a,t) will be inserted 
into FAF, satisfying the following conditions: 1) there is a time tf exists such 
that grant(s, o, a, t') and t' <t hold, 2) there is no t" exists such that t" € ( t' , t) 
and relinquishes, o, a, t") hold. We call this the system integrity hypothesis. 



3.3 DAM Syntax 

The dynamic access grant module uses five 4-ary predicates grant, relinquish, 
validity, holds, and request with arguments subject, object, action and time 
terms, and a 3-ary predicate conf lictingHold. The time parameter t here has 
no relation with the clock time, but serves as a counter of the sequence of requests 
made to the dynFAF since its inception. 

1. grant(s, o, a, t) means that access ( s,o,a ) is granted at time t. 

2. relinquishes, o, a, t) means that access ( s,o,a ) is relinquished at time t. 

3. validity(s, o, +a, t) means that granting permission ( s,o,a ) at t does not 
violate any constraints, while validity(s, o, —a, t) means that granting per- 
mission (s,o, a) at time t does violate some constraints. 

4. holds(s, o, a, t) means that s holds a access to o at time t. 
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5. request(s, o, +a, t) means that at time t subject s requests permission (o, a), 
while request (s, o, — a, f) means that at time t subject s requests to relin- 
quish permission (o,a). Whenever a request (grant or relinquish) is made, 
the corresponding predicate is inserted into dynFAF as fact. 

6. conf lictingHold((s, o, a), (s', o', a'),t) means the authorization (s', o', a') is 
conflicting with (s, o, a) and is holding at time t. 

We now specify the rules of DAM that recursively define predicates grant, 
relinquish, holds, conf lictingHold, and validity as follows: 

grant(® s , ® 0 , x a , 0) <— request)®.,, x 0 , +x a , 0), do(® s , x a , +®«). (11) 

grant (® s , x 0 , x a ,Xt + 1) <— validity(® s , x a , +x a , Xt),-' holds(® s , ® D , x a ,Xt), 

request)®.,, x 0 , +x a , Xt + 1). (12) 

relinquish)®.,, x 0 , x a , Xt + 1) <— holds(® s , ® Q , x a , Xt), 

request)®.,, ® 0 , —x a , ®t + 1). (13) 

Rule 11 says that the first permission that is granted by the dynamic access 
grant module must be statically permissible and requested. Rule 12 says that 
any permission that is not already being held, requested and valid (i.e. would not 
violate any constraints) at time Xt can be granted at time Xt + 1. The next set 
of rules recursively update the holds predicate that capture permissions already 
being held by a subject. 

holds)®.,, ® 0 , Xa , Xt) <— grant(® s , ® Q , x a , Xt). (14) 

holds (® s , Xo, Xa, Xt + 1) <— holds(® s , ®o, Xa, Xt), -relinquish)®.,, ® D , ® Q , xt + 1). (15) 

Rule 14 says that a permission (x 0 ,+x a ) granted to x s at time x t is held by 
x s at time Xt ■ Rule 15 says that any action other than relinquishing the same 
permission by itself does not change the holding state of a subject. The following 
rule defines the predicate conf lictingHold. 

conf lictingHold ((® s , x 0 , x a ), (x' s ,x' 0 , x' a ), Xt) 

<— derConf lict((® s , ® 0 , x a ), (x' s , x' a , x a )), holds)®), x' a , x' a , x t ). (16) 

The rest of the rules recursively define validity that computes if granting a 
permission to a subject will conflict with the outstanding ones at time Xt- 

validity)®.,, ® 0 , +® a , 0) <— -iderConf lict((®(, x' a , x' a ), (x„, x 0 , x a )), 

do (x s ,x 0 ,+Xa), ■ (17) 

validity(® s , x 0 , +®o, Xt) <— grant(® s , ® D , x a , Xt). (18) 

validity(® s , ® 0 , +®o, Xt) <— relinquish(® s , ® D , x a , Xt). (19) 

validity)®^, x 0 , ±x a , Xt + 1) <— grant(®(, x' a , x a , Xt + 1), validity(® s , ® D , ±x a , Xt), 

-iderConf lict((® s , x 0 , x a ), (x' s ,x' 0 , x' a )), 

(Xs,Xo, X a ) ^ (x' s ,x'o, x'a). (20) 

validity)®.,, x 0 , -x a , x t + 1) <— grant)®' , x 0 , x' a , ®t + 1), (® s , x a , x a ) (x' s ,x' 0 , x' a ), 

derConf lict((® s , ® 0 , x a ), (x' 3 ,x' 0 , x a )). (21) 
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validity(x s , x 0 , ±x a , Xt + 1) 



validity(x s , x 0 , —x a , x t + 1 ) <— 



validity(x s , x 0 , +x a , x t + 1 ) 



validity(x s , x 0 , +x a , Xt + 1) 



validity(x s , x 0 , —x a , Xt) <— 



relinquish(x 3 , x' a , x' a , Xt + 1), 
validity(x s , x 0 , ±x tt , Xt), 

-■derConf lict ((x s , x a , x a ), (x'„,x' 0 , x' a )), 



(x s ,Xo,X a ) ^ {x' s , 


/ / \ 
Xo,X a ). 






(22) 


validity(x s , x 0 , - 


-X a ,Xt), 








relinquish(x(, x' c 


„x'a,X t + 1), 








derConf lict ((x s , 


Xo, Xa), {x s , X q, 


Xa)), 






(x s ,x 0 ,x a ) ^ {x's, 


x 0 ,x a ), holds (: 


II II 

X's ? X Q , . 


x'a, Xt), 




(x s ,Xo,Xa) ^ (x", 


' x 0 , x a ) , yx s , X Q 


,x' a ) ^ 


/ ii n 

(x s ,x D 


,X"), 


derConf lict ((x s , 


\ / // // 
Xo-, Xa) i \X S , X 0 . 


,*«))■ 




(23) 


relinquish(x 3 , x[ 


>, X^, Xt + 1), 








validity(x s , x 0 , - 


-X a ,Xt), (X S ,X 0 


, X a ) 7 ^ 


( X s ,X a , 


II \ 

, X a ), 


derConf lict ((x s , 


Xo, Xa), {x s , X o , 


Xa)), 






(x s ,x 0 ,x a ) ^ {x's, 


Xoi X a )i X 0 , 


Xa) 


/ // // 
[Xg , Xq , 


Xa), 


-■derConf lict ((x. 


s, Xqi Xa )} {x s , X 


"o,X a )). 




(24) 



relinquish(x(, x a , x' a , Xt + 1), 

validity (x 3 ,x 0 , -x a ,x t ), (x 3 ,x 0 ,x a ) ^ (x' s ,x' 0 ,x' a ), 

derConf lict ((x s , x D , x a ), (x' s ,x' 0 , x' a )), 

{x s ,Xo,Xa) ^ (x",x",xa),(x a ,x 0 ,x a ) (x",x",x"), 

-iconf lictingHold {{x 3 ,x 0 , x a ),(x'',x'',x”),x t ). (25) 
-ivalidity(x 3 ,x 0 ,+x 0 ,xt). (26) 



Rule 17 is the base step of the recursion saying that every permission that is al- 
lowed by the static component FAF and there is no conflicting permissions exist- 
ing is valid when the dynamic grant module begins. The next two rules 18 and 19 
state that an authorization (s, o, a) is valid at time t if it is granted or relinquished 
at time t. Rules 20 and 21 consider how some other (subject, object, action) pair 
being granted affects the validity of a permission. Rule 20 leaves the validity 
if a non-conflicting permission was granted at time Xt ■ Rule 21 invalidates it if 
another conflicting permission was granted at x t . 

The next four rules address what happens to the state of validity of a permis- 
sion if some other permissions were relinquished. Rule 22 says that if the relin- 
quished permission is not conflicting with the considered one, then the validity 
remains the same. Rule 23 says that if there are other conflicting authoriza- 
tions held in the system, then the validity states of the considered one remains 
invalid. Rule 24 says that if the relinquished permission is the only conflicting 
permission with the considered one in the system, the validity state of the con- 
sidered one will be changed to valid. Rule 25 says that although there are still 
other conflicting permissions with the considered one, if they are all not holding, 
then the validity state of the considered one will be valid. The last rule, rule 
26 says that validity(x s , x a , —x a , Xt) succeeds, when validity(x s , x ot +x a , Xt) 
fails. This rule is necessary because of the following reason. In rules 20, 22, 23 
and 24, validity(x s , x 0 , ±x 0 , Xt + 1) depends upon validity(x s , x 0 ,ikx a , Xt). 
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Thus, in order for the inductive computation of other steps to proceed from Xt 
to Xt + 1 it is necessary to have validity(a: s , x a , —x a , Xt) which is not given by 
rule 21. Therefore, the rule 26 allows us to infer validity(a: s , x 0 , —x a ,Xt) from 
the failure of validity(a; s , x 0 , +x a , xf). 

In section 5 we show that in view of the synchrony hypothesis, grant, 
relinquish, validity and holds are correctly specified. That is grant and 
relinquish satisfy both safety and liveliness properties and have the required 
anti-idempotency properties. In other words, no subject can relinquish permis- 
sions that it does not hold and a subject cannot obtain permissions that it 
already holds. 

Example 3 (Interacting with DAM) Consider the separation of duty exam- 
ple which states that two processes p\ and P 2 may not get write locks on a file 
“foo ” at the same time, but otherwise both processes have static permissions to 
write to “foo”. These requirements are captured by dynFAF as follows. 

do (pi, “ foo ”, -| -write) <— . (27) 

do(p2, “ foo ”, +tt trite) <— . (28) 

derConflict((pi, “foo " , write), (p2, “foo " , write)) <— . (29) 

Rules 21 and 28 state static write permissions to “foo” is given to p± and P 2 
respectively. Rule 29 says that, although pi and P 2 have static write permissions, 
they may not use them simultaneously. 

Now consider a request to obtain write permission to “foo” by pi at time 0. 
That means, requester, “foo” ,+write,0) now becomes a part of the DAM rules. 
Therefore, grant (pi, “foo” , write, 0) now is evaluated to be true as, by rule 11, 
grant (pi, “foo”, write, 0) holds if request (pi, “foo” ,+write,0) and do(pi, “foo”, 
-hwrite) are valid. As a result, p\ is granted write permission on “foo”. 

Now consider a request to write “foo” issued by p 2 at time 1. This request 
is modeled by entering request (p 2 , “foo” ,+write,l) into dynFAF’s rule set. Be- 
cause derConflict((pi, “foo”, write), (p 2 , “foo”, write)) holds, by rule 11 we can 
not get validity(p 2 , “foo”,+write,0). Therefore grant(p 2 , “foo”, write, 1) cannot 
become valid as the only applicable rule 12 results in finite failure. Similarly, 
grant (pi, “foo”, write, 1) also fails in the alternate addition of request (pi, “foo”, 
-t-write, 1) instead of request (p 2 , “foo” , -hwrite, 1) because holds (pi, “foo”, 
write, 1) is valid by ride 14 and 15. 

Now suppose that p\ wishes to relinquish its “write” permission to “foo” at 
time 2. This is done by entering request(pi, “foo”, -write, 2) into dynFAF’s rule 
set. Then by rule 13, relinquish(pi, “foo”, write, 2) evaluates to true because 
of holds (pi, “foo”, write, 1) and requester, “foo”, -write, 2). Now suppose P 2 re- 
quests write permission to “foo” again by inserting requester, “foo”, write, 3). 
At this time grant(p 2 , “foo” , write, 3) succeeds by rule 12 as validity(p 2 , “foo”, 
-hwrite, 2) holds by rule 24- As a result, request (p 2 , “foo”, write) is granted at 
time 3. 
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4 Semantics of dynFAF 

This section describes models of dynFAF syntax. All lemmas and theorems in 
this section are given without proof. We refer the reader to [9] for the formal 
proofs. We consider a dynFAF specification to consist of FAF rules (without 
the error predicates), conflict rules, conflict derivation rules, a collection of 
appropriately constructed (soon to be described) request predicates, and rules 
from 11 to 26. As argued in [17], FAF policies are locally stratified logic programs. 
We now show that dynFAF specifications form locally stratified logic programs. 

Lemma 1 (Local stratification and stable models of dynFAF). 

Any dynFAF specification constitutes a local stratification on its Herbrand base. 
Consequently , dynFAF rules restricted to FAF and ISM have a unique stable 
model that coincides with its well-founded model. 

At any time n, a dynFAF specification consists of the following four kinds of 
rules: FAF rules, ISM rules, a set of n instances of request predicates {request 
(_,_,_,*) : i < n}, and DAM rules consisting of rules 11 through 26, that we 
refer to as F,C,Tr n ,D, respectively. Lemma 1 says that F L) C has a unique 
stable model, denoted by M{FVJ C). Now we build a model, notated as Ad(FU 
C U Try,, IJfl), for FUCUTr„Ufl for each n and another model M(FUCU 
(U jg^TV,;) U D) for F U C U (U i^Trf) U D as three-valued Kripke-Kleene (also 
known as Fitting-Kunen )models [18,11] over M(F U C). We show that every 
grant or relinquish query instance over either of these models evaluate to 
either true or false, and therefore the tlrree-valued model takes only two truth 
values. In doing so, we have to choose a constraint domain and interpretation 
for negation. We choose the finite integer domain, CLP(7\1), as our constraint 
domain and interpret negation as constructive negation [7, 8] as have been used 
for negation by Fages [13, 10]. The latter choice is due to the almost universally 
accepted stance on using constructive negation instead of its classical counterpart 
or negation as failure [22,23,13,10]. The former choice is due to the fact that 
constructive negation proposed by Stuckey [22, 23] requires that the constraint 
domain be admissible closed, whereas that proposed by Fages [13, 10] does not (at 
the cost of requiring some uniformity in computing negated subgoals of a goal). 
We now give formal details. As a notational convention hereafter we denote 
M{F U C U Tr n U D) by M(F, C , Tr n ,D) and M(FL)CU (U i6w Try) U D) by 
M(F,C, Tn,D). 

Definition 1 (n-traces, *-traces and models) For every numeral n, any set 

of predicate instances of the form {request(_, _,_,*) : i < n}, {request(_, _, _, i) : 
i £ u>} are said to be an n-trace and a *-trace respectively, where every request(_, 
_, _, i) term is variable free. 

Let F,C,Tr n ,Tr *, and D be respectively FAF, ISM, n-trace, *-trace, and 
DAM rules. Let <I> be the three-valued Kripke-Kleene immediate consequence op- 
erator. Then we say that (J i£w <P l RuD (F\JC) are the models A i(F, C, R, D) where 
R is either an n-trace Tr n or an *-trace Tr *. 
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As stated in definition 1, a model of M{F, C, R , D) is obtained by evaluating 
the d> operator over a FAF+ISM model Ai(F, C ) ui many times. The reasoning 
behind our choice for the semantics is that FAF already has a (two- valued) stable 
model. In [12], Fitting shows that Uigo, ^Tr„un(^ u C) — U ieui ^Tr n UD,FUc(^)- 
The dynamic grant policy then extends this stable model. Following two claims 
clarify this statement. 

Theorem 1 (Finite termination of dynFAF queries). 

For every numeral n, every grant(_, n), relinquish(_, n), holds(_, 
n), and validity(_, n) query either succeeds or fails finitely, given that 
query over A4(F,C) has the same property. 

Consequently, for every numeral n, the three valued model A4(F,C,R,D) 
evaluates every instance of grant(_, n) or relinquish(_, n) query to be 
either true or false. 

Theorem 1 shows that dynFAF acts like FAF in the sense that every request 
is either honored or rejected. But theoretically there is a remarkable difference 
between a FAF model and a dynFAF model. While every FAF model is a (least) 
fixed point of a monotonic operator (conventionally referred to as the classical 
immediate consequence operator T), a dynFAF model is not a fixed point of 
the so called Fitting-Kunen d> operator [12,10], as it is well known that the 
closure ordinal of the Fitting-Kunen <P operator is not u>. ([12] gives a simple 
counterexample) In contrast, a dynFAF model A l(F, C , R, D) is an w-closure of 
the d> operator of M(F, C) under rules 11 through 26. 

The other pertinent point is that nothing in the logical machinery guarantees 
that the synchrony hypothesis is valid, but conversely the correctness of the 
dynamic access grant module depends upon this externally enforced assumption. 
The next set of results show the connections between different traces. 

Definition 2 (Trace chains) We say that a set of n-traces {Tr n : n > 0} is 
a trace chain iff each Tr n is an n-trace and Tr n C Tr n + \. Then we say that 
Tr * = Tri is the limit of the trace set {Tr n : n > 0}. 

Following results are valid for any trace chain. 

Lemma 2 (Compactness of Traces). 

Suppose {Tr n : n > 0} is a trace chain. Then the following holds: 

1. M(F,C,Tr n , D) |= cf iff M(F,C) |= (f for every FAF or ISM predicate 
instance (j>. 

2. M(F,C,Tr n , D) |= </> iff M(F,C,Tr n+ \, D) \= for every DAM predicate 
instance where the last variable of <f> is instantiated to in for any m < n. 

3. M(F,C,Tr*, D) |= (f> iff A4(F,C,Tr n ,D) \= (j> where cf> is a variable free 
DAM predicate where the numeral instance is n. 

Lemma 2 says that any model M. (F, C, Tr n , D) of F U C U Tr n U D only vali- 
dates the history of dynamic changes taking place over the static model M ( F , C) 
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up to and including time n. It also says that evaluating the Fitting-Kunen <P clo- 
sure operator u> many times does not add any more truth to A4(F, C, Tr„, D) 
than n many times. In that respect, our semantics is finite over finite lifetimes 
of dynFAF evolutions. 

5 Correctness of DAM 

This section shows that dynFAF functions correctly. All lemmas and theorems 
in this section are given without proof. We refer the reader to [9] for the formal 
proofs. Our notion of correctness consists of two parts: (1) dynFAF satisfies 
traditional safety and liveliness properties. (2) grant and relinquish function 
as expected. By safety we mean that any granted permission does not violate 
any constraint. By liveliness , we mean that any requested permission that does 
not conflict with any other outstanding permissions is granted. By the expected 
functionality of grant we mean that any request for already granted permission 
fails. Similarly, the expected functionality of relinquish is that only granted 
permissions are relinquislrable. In order to prove these results, we prove Lemma 3, 
that guarantees the correctness of holds and validity, the two other predicates 
that are for internal use in DAM. 

Lemma 3 (Correctness of holds and validity). 

The following statements hold for every numeral n and every permission triple 
(s, o, a): 

1. A4(F,C,Tr n , D) \= holds(s, o, a, n) iff Ai(F,C,Tr n , D) |= grant(s, o, a, n') 
for some n' < n and Ai(F,C,Tr n , D) |A relinquishes, o, a, m) for all m 
satisfying n' < m < n. 

2. M(F,C,Tr n ,D) \= validity(s, o, +a, n) iff there is no permission (s' , o' , a') 
satisfying A i(F, C, Tr n ,D) |= holds(s', o', a', n) A derConf lict((s, o, a), (s', 
o ' , a')) A do(s', o', +o / ). 

Now we use this result to prove the safety and the liveliness as promised. 

Theorem 2 (Safety and liveliness of dynFAF). 

The following holds for all permissions (s,o,a) and all times n: 

Safety: Suppose A i(F,C,Tr n , D) |= holds(s, o, a, n). Then there is no other 
permission (s', o', a') satisfying M. (F,C,Tr n , D) \= holds (s', o', a', n) A 
derConf lict((s, o, a), (s', o' , a')). 

Liveliness: Suppose M(F,C,Tr n ,D ) |= validity(s, o, a, n) A ^holds(s,o, 
a,n). Then there is a trace Tr n +i satisfying Ai(F, C, TY n +i, D) \= grant(s, 
o, a, n + 1) A holds(s, o, a, n + 1) . 

Now we show that grant and relinquish has the required prerequisites. 
That is, request(_, _, (+)_, n) succeeds and results in grant(_, _, _, n) evaluating 
to true only if this permission has not already outstanding. Similarly, request(_, 
_, (— )_, n) succeeds and results in relinquish^, _, _, n) evaluating to true only 
if this permission is already outstanding. 
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Theorem 3 (Prerequisites of grant and relinquish). 

The following holds for all (s,o,a) and all n: 

grant: M{F,C,Tr n+ \,D) |= grant(s, o, a, n + 1) only if M(F,C,Tr n ,D) ^ 
holds(s, o, a, n). 

relinquish: Ai(F,C,Tr n +\, D) |= relinquishes, o, a, n + 1) only if A4(F,C, 
Tr n ,D) |= holds(s, o, a, n). 



6 Related Work 

Aim and Sandhu introduce a logical language for specifying role-based autho- 
rization constraints named RCL2000 [1]. They identify conflicts as originating 
from conflicting permissions, users and roles, and constraints are stated using 
cardinalities of sets of access or their intersections where most cardinalities are 
restricted to one. They specify several kinds of dynamic separation of duty, with- 
out showing enforcement mechanisms. 

Bertino et al. propose a framework for specification and enforcement of au- 
thorization constraints in workflow management systems [5]. They present a 
language to express authorization constraints as clauses in a logic program and 
propose algorithms to check for the consistency of the constraints and to assign 
roles and users to the workflow tasks in such a way that no constraints are vio- 
lated. The consistency checking algorithms is executed by the security officer in 
role or user planning. 

Similar to FAF, Barker and Stuckey [4] define some special consistency check- 
ing rules (with head of predicates inconsistentssd, inconsistent-dsd) to encode 
the separation of duty constraints. The constraints are checked by the security 
officer whenever new user-role or new role-permission assignments are inserted. 

In comparison, dynFAF has the following advantages in expressing and en- 
forcing constraints. First, we add the ability to derive all binary constraints from 
atomic constraints specified by the SSO using predefined derivation rules. Sec- 
ond, derived constraints are enforced dynamically in the model itself. That is, 
all those and only those access requests that do not violate any constraint will 
be granted - referred to as liveliness and safety, respectively. 

7 Conclusions 

In this paper, we described a constraint logic programming-based approach, 
dynFAF, for expressing and enforcing dynamic constraints as an extension to 
the framework FAF proposed by Jajodia et al. [17]. We limited FAF to rules 
without error predicates; then we enriched FAF with the ability to specify 
atomic binary conflicts and derive complex conflicts using user specified rules. 
This extension constitutes the ISM module. We showed how to extend this syntax 
with an appropriate dynamic access grant module DAM. DAM grants requests 
that do not violate any conflicts. In return, DAM expects the user of the system 
to relinquish granted permissions once they are no longer in need. dynFAF works 
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under the assumptions that access requests are submitted in sequence, one at 
a time and that the permissions obtained are relinquished by giving them up 
to the access controller. The current design of dynFAF requires that these are 
enforced external to the system. 

We have shown that dynFAF models have a unique three- valued model used 
in (constraint) logic programming. We have further shown that any stable model 
(correspondingly well-founded) FAF model is extendible to a tlrree-valued dyn- 
FAF model. In addition, we showed that every instance of a request to grant or 
relinquish permissions made to dynFAF always terminates without floundering 
as a constraint logic program. 
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Abstract. Access control represented by XPath expressions allows for 
access restrictions on elements, attributes, and text nodes according to 
their locations and values in an XML document. Many XML database 
applications call for such node-level access control on concerned nodes at 
any depth. To perform such node-level access control, current approaches 
create heavy loads on XML database applications since these approaches 
incur massive costs either at runtime or for data optimization. In order 
to solve these problems, we introduce an access condition table (ACT), a 
table equivalent to an access control policy, where Boolean access condi- 
tions for accessibility checks are stored. The ACT is generated as a means 
of shifting the extra runtime computations to a pre-processing step. Ex- 
perimental results show that the proposed ACT can handle accesses to 
arbitrary paths at a nearly constant speed. 



1 Introduction 

The Extensible Markup Language (XML [6]) is widely used for data presentation, 
integration, and management because of its rich data structure. Since data with 
different security levels may be intermingled in a single XML document, such as 
business transactions and medical records, access control is required on both the 
element- and attribute-level to ensure that sensitive data will be accessible only 
to the authorized users. In most of the current research, such node-level access 
control is specified with XPath [10] to identify the sensitive portion. 

Since the utilization of global elements and global attributes may scatter 
data throughout an XML document, the node-level access control specification 
is required to cover affected nodes at any depth. For instance, in XML-formatted 
medical records, doctors’ comments may appear anywhere as the occasion de- 
mands. Therefore, to hide comments from unauthorized users, it is required to 
select all of the comments regardless of their locations. 

Many approaches (e.g. [3, 11,21,24]) fulfill access control on arbitrary nodes 
with the descendant-or-self axis of XPath (//) and the propagation mecha- 
nism. Since / / selects a specific descendant in the subtree and propagation mech- 
anism brings access down to the subtree, both of them require node traversal of 
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the entire subtree. Especially for deeply layered XML documents, the enforce- 
ment of // and propagation imposes heavy computational costs. Therefore, some 
of the approaclres(e.g. [3,11,17,21]) trade efficiency off against expressiveness 1 . 

Ideas to efficiently perform an arbitrary XML node selection are also pro- 
posed by [16,19,20,22,28], in which the result of access control is cached for 
each affected node. Since such optimization is generally on a per-document ba- 
sis, the databases with few document updates and document insertions may 
profit from these approaches. However, in real XML database applications, new 
XML documents may frequently be inserted into the database. For instance, 
as E. Cecchet[7] shows, the interaction of EJB-based business applications may 
happen 10 to 200 times per second. If each interaction is recorded into an XML 
document, document-based optimization will be performed frequently and po- 
tentially lead to unacceptable performance. Therefore, we think efficiency should 
be achieved independent of the data in the XML documents. We call this re- 
quirement document-independency. 

In this paper, we introduce a novel access-condition-table-driven mechanism 
which achieves high expressiveness with good document-independent efficiency. 
The access condition table (ACT) is a table storing the paths and the two types 
of access conditions, which are Boolean expressions. Given a path, the ACT 
can provide a proper access condition according to the path location. Then 
the provided access condition is evaluated to decide the accessibility. As far as 
we know, our ACT-driven approach is the first one capable of processing the 
access to an arbitrary path at a nearly constant speed irrespective of the XML 
document. The ACT is free from re-computation as long as the access control 
policy is not updated. In addition, the ACT can provide applicable access control 
for various query languages including XQuery, SQL XML, and XPath. 



1 . 1 Related Work 

Many approaches to enforcing XML access control have been proposed. Some of 
them support full XPath expressions but perform with naive implementations 
which may incur massive computations. For instance, when the access control 
policy is large or the XML document is deep layered, Kudo et al. [21] and 
Gabillon [17] may suffer from high runtime costs, since they create the projection 
of the access control policy on a DOM [18] tree and then evaluate the accessibility 
at each node. The mechanisms proposed in [2, 3, 11, 12] also encounter the same 
problem at runtime since the node-level access control on a DOM-based view 
can be expensive especially for a large XML document. 

Substantial performance costs can be a fatal weakness for a secure XML 
database, access control with a pre-processing optimization to improve runtime 
efficiency has been explored in many research projects [1,8,14,24,28]. For ex- 
ample, the static access optimization algorithm in Murata et al. [24] minimizes 
the runtime checks by determining the accessibility of nodes in a query with 
pre-computed automata which is document- and schema-independent. However, 

1 We use expressiveness to describe the support to //, predicates, and propagation. 
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more than access control policy, the queries, which can be complicatedly ex- 
pressed in XQuery, are required by the system. Our approach is complement to 
their method that we supports node-level access control for more query languages 
but also with more limitations on policy specifications. Yu et al. [28] enforces 
access control by obtaining accessibility from an accessibility map which is op- 
timized on the basis of the XML document and therefore document updates 
and insertions may trigger re-computations. In addition, there are XPath-based 
documents filtering systems [1,8,14] satisfying the requirements of expressive- 
ness and document-independency through pre-computed special data structures. 
However, these approaches do not support to eliminate a denial node from a 
grant tree or sub-tree; therefore, they may be unable to afford appropriate ac- 
cess control for some XML database applications. 

Optimization is also done in a number of research efforts on XML query 
languages (e.g., XPatlr and XQuery [5]). The methods include query optimization 
based on (i) the tree pattern of queries [9, 13, 23, 25-27], (ii) XML data and XML 
schema [16, 19, 20, 22] and (iii) the consistency between integrity constraints and 
schemas [15]. However, these data selection mechanisms are not applicable to 
other query languages and primitive APIs such as DOM. 

Outline. The rest of this paper is organized as follows. After reviewing some 
preliminaries in Section 2, we introduce the features of the ACT in Section 3 
and the construction of the ACT in Section 4. Experimental results are reported 
in Section 5 and the conclusions and future work are summarized in Section 6. 

2 Preliminaries 

XPath. An XPath expression can select nodes based on the document struc- 
ture and the data values in an XML document. A structure-based selection relies 
on the structural relationships, which is expressed by / and //. For example, 
/record//name selects all name in the subtree of record. In addition, value- 
based selection is done by attaching a value-based condition on a specific node: 
if the condition is satisfied, the node is selected. For instance, the XPath expres- 
sion /disclosure [@status= J published 1 ] selects disclosure whose status 
attribute equals ‘published’. In this XPath expression, @status= , published I is 
a value-based condition which is called a predicate. 

Access Condition Policy. Various access control policy models have been 
proposed, but we use the one proposed by Murata et al. [24] in which an access 
control policy contains a set of 3-tuples rules with the syntax: (Subject, Permis- 
sion Action, Object) as shown in Table 1. The subject has a prefix indicating 
the type such as uid and group. “+’ stands for a grant rule while for a denial 
one. The action value can be either read, update, create, or delete. Due to the 
lack of space, we focus on the read action in this paper though the others can be 
implemented with the same mechanisms. The rule with +R or -R is propagation 
permitted that the access can be propagated downward on the entire subtree, 
while +r is propagation denied. As an example, (uid:Seki, +r, /a) specifies 
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Table 1 . Access Control Rule Syntax 



Field 


Description 


Subject 


A human user or a user process with a uid or role prefix 


Permission 


Grant access (+) or denial access(-) 


Action 


r: without propagation; R: with propagation 


Object 


An XPath expression selects affected nodes 



user Seki’s access to /a is allowed but to /a/b is implicit specified since grant 
is not propagated down to the descending paths of /a owing to r. Moreover, 
according to the denial downward consistency in [24] that the descendants of 
an inaccessible node are either inaccessible, there is an accessibility dependency 
between the ancestors and the descendants. Therefore, it is obvious that -r is 
equivalent to -R; and thus, we specify denial rules only with -R in this paper. 
In addition, in order to maximize the security of the data items, we (i) resolve 
access conflicts with the denial-takes-precedence [4], and (ii) apply the default 
denial permission on the paths if no explicit access control is specified. 

3 Features of the Access Condition Table (ACT) 

Before entering the details, we list up some requirements considered to be im- 
portant to an access control system for XML databases. 

— Document-independency and schema-independency should be satisfied. 

— Document updates and document insertions should not trigger any re-com- 
putation. 

— Access control should be applicable to query languages including XQuery, 
SQL XML, and XPath. 

However, we consider these requirements in a system where the frequency of the 
policy updating is far lower than the frequencies of the actions performed. 



3.1 Structure of the ACT 

The ACT is directly generated from an access control policy. Different from 
the access control policy, the ACT separates the affected paths and the related 
conditions from the object. We call the affected paths the target paths. The 
values of each target path are two types of access conditions: access condition and 
subtree access condition. The access conditions are for the accessibility checks on 
the target paths, and the subtree access conditions are for the descending paths. 
Featured with two types of access conditions, the ACT enables access control 
on a path of any length. The key idea of this structure is based on the following 
two observations. 
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— Each / / in an XPath expression can be regarded as a divider. The part on 
the right of // is the condition that should be satisfied by the descending 
paths in the subtree of the part ou the left of //. For instance, granting 
access on /a//c specifies if the node is c in the subtree of a., the access to the 
node is granted. As a result, the accesses to /a/c, /a/b/c, and / a/b/ c/d are 
granted since they are cs in the subtree of a. Therefore, an subtree access 
condition can be prepared at /a, which is responsible for the access to any 
path in the subtree of / a. 

— Propagation is the mechanism controlling the access of the entire subtree. 
For instance, granting access to /a with propagation specifies the accesses 
to a itself and its descendants are granted. However, granting access to /a 
without propagation specifies the access to a is granted but to the descen- 
dant is denied. Since the access conditions to /a and to its subtree can be 
separately specified, we can prepare the access conditions separately as well. 

As a result, we generate two types of access conditions: one is the access con- 
dition for a path itself like a in the above two examples, and the other is the 
access condition for the entire subtree such as the subtree of a in the examples. 
Example 1 shows a simple access control policy and its equivalent ACT. 

Example 1. Given an access control policy P consisting of rules Rl, R2, R3, 
and R4 as follows, the equivalent ACT is as Table 2 shows. 

Rl: (uid:Seki, +r, /a), R2: (uid:Seki, +R, /a/b) 

R3: (uid:Seki, +r, /a/c[g>l]), R4: (uid:Seki, -R, /a/b//e) 

Table 2. Structure of the ACT 



Target Path 


Access Condition 


Subtree Access Condition 


/a 


true 


false 


/a/b 


true 


not (ancestor-or-self::e) 


/a/c 


g>l 


false 



We use an accessibility marked tree, the abstract representation of an XML 
document, to reflect the access control result of P with accessible and inaccessible 
nodes individually distinguished. It also reflects the ACT shown in Table 2 since 
the ACT leads to the same accessibility marked tree. In Fig. 1, grant access 
is propagated from b to e, i, j, f, k and 1 owing to R2 while denial access is 
propagated from e to i and j owing to R4. Therefore, access conflicts occur 
on e, i and j. Finally, e, i and j are inaccessible based on the denial-takes- 
precedence principle. On the other hand, the nodes without access specification, 
d, g, h, and m are ultimately inaccessible owing to the default denial permission. 
In addition, the accessibility of c is decided by the value of g : if g>l then 
accessible, otherwise inaccessible. 

3.2 Pre-computation 

The ACT generation can be considered as a pre-computation stage in which 
some extra computations are shifted from the runtime. Generally, the extra 
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- Black nodes: accessible nodes 

- Circled black nodes: value-based accessible nodes 

- White nodes: inaccessible nodes 

Fig. 1 . The accessibility marked tree of P 



computations are caused by the processes of propagation and conflict resolution. 
Conflict arises when a node is granted access and denied access at the same time. 
For instance, (i) (Sbj , +R, /a), and (ii) (Sbj , -R, /a/b) cause conflict on b 
since b is granted owing to the propagation from a and at the same time denied 
because of the denial specification. Moreover, if multiple bs are subordinate to the 
same a, the propagation and the conflict identically occur on each b. Obviously, 
such repeated processes should be optimized to conserve resources. The ACT- 
driven mechanism moves the processes of propagation and conflict resolution 
into the ACT generation to achieve high runtime performance. 

3.3 Access Conditions and Subtree Access Conditions 

Access conditions and subtree access conditions are Boolean expressions eval- 
uated for accessibility. They are true or false when the objects do not contain 
either a // or a predicate. Only for the objects containing a // or a predicate, is 
the XPatlr expression representing the structure-based or value-based condition 
involved in the condition expressions. 

For instance, for R2 in Example 1, the access condition on /a/b is true and 
the subtree access condition of /a/b is true too since ‘true’ is permitted to spread 
down to the entire subtree of /a/b owing to ‘R’. 

3.4 ACT-Driven Access Control Enforcement 

Since access conditions are path-specific, each node in an XML document can 
obtain a proper access condition through its path expression on the basis of its 
location: one of the target paths or the descending path in someone’s subtree. 

Access control is enforced via an ACT handler that, upon receiving a user 
request, returns accessible data to the user. The user request contains the user 
information and the access target, which can be either a path or an XML docu- 
ment. For a path, the accessibility is decided by evaluating the access condition 
according to its location: if the path is a target path in the ACT, the access con- 
dition is evaluated; otherwise, the closest ancestor is searched for and its subtree 
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access condition is evaluated. For an XML document, the ACT handler traverses 
the document to check the accessibility of each path: if the path is found to be 
accessible, it is added to the user view. In order to improve the performance in 
processing XML documents, the ACT handler adopts a check-skip mechanism to 
skip accessibility checks on the nodes with an inaccessible ancestor. According 
to the denial downward consistency, the nodes with an inaccessible ancestor are 
definitely inaccessible, so the checks on them can be skipped. 

Table 3. Accessibility checks for Seki 



Requested Path 


Target 


Access Condition 


Accessibility Result 


/a 


/a 


true 


Accessible. 


/a/c 


/a/c 


g>l 


Accessible when g is bigger 
than 1, otherwise inaccessible. 


/a/b/h 


/a 


false 


Inaccessible. 


/a/b/e/i 


/a/b 


not (ancestor-or-self: :e) 


Inaccessible. 



Using the ACT in Table 2, we show four examples in Table 3. For instance, 
Seki requests to access a, the ACT handler finds /a in the ACT and therefore 
the access condition, true, is evaluated. Consequently, the access to a is allowed. 
When Seki accesses i whose path is /a/b/e/i, the ACT handler finds it absent 
from the ACT. However, the closest ancestor target path, /a/b, is found and 
the subtree access condition, not (ancestor-or-self : : e) , is provided. Since 
not (ancestor-or-self : :e) is evaluated false for /a/b/e/i, the access is de- 
nied. 

3.5 Limitations on the ACT 

In order to keep the ACT simple, the following four limitations on XPath ex- 
pressions are specified. 

— // is limited to appear only once. (i.e. /a//c//e is not allowed.) 

— A wildcard * should always be accompanied with a // in the form of //*. 
(i.e. /a//b/*/@d is not allowed.) 

— // and * never appear in predicates, (i.e. /a[*>l]/b is not allowed.) 

— Only one node can be identified after //. (i.e. /a//c/d is not allowed.) 

The limitations restrict the expressiveness of the access control policies. Nonethe- 
less, the specification of a node at any depth, e.g. //* [@level= ) classified 1 ] 
and //comment, are supported. In addition, some of these limitations can be 
resolved by XPath extension functions. 

4 Construction of the ACT 

The ACT is generated from the access control policy by fowllowing 5 steps: 

— Step 1: Generate the target paths 

— Step 2: Generate the local access conditions 
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— Step 3: Generate the local subtree access conditions 

— Step 4: Perform propagation 

— Step 5: Perform conflict resolution and expression combination 

Note that the access conditions and the subtree access conditions generated in 
Step 2 and Step 3 are local since propagation has not yet occurred. In Step 4, 
local subtree access control with propagation permission is spread down to the 
descending target paths in the ACT. In Step 5, access conditions and subtree 
access conditions residing on each target path are individually combined. At the 
same time, conflicts are also resolved with the conflict resolution mechanism. 

4.1 Generating the Target Paths 

The target path is generated from the object by removing the additional access 
conditions. If the object contains //, the prefix to // is the target path. If the 
object contains predicates, then the path after removing predicates is the target 
path. However, if the object contains both // and predicates, the path after 
removing the predicates in the prefix is the target path. 

For instance, since R3’s object in Sect. 3.1 contains a predicate, the target 
path is /a/c after removing the predicate from /a/c[g>l]. Moreover, for R4’s 
object /a/b//e, the prefix to / /, which is /a/b, is the target path. 

4.2 Generating the Local Access Conditions 

Local access conditions on each target path are generated from the action and the 
object. If the object contains predicates or //, the additional access conditions 
should be included. 

When the object does not contain either a // or a predicate, the action 
decides the local access condition: true for + and false for -. When the object 
contains a predicate, the predicate relative to the target path is generated as 
the local access condition. If the object contains multiple predicates, the local 
access condition is generated by connecting the predicates relative to the target 
path with ‘and’. However, for the object containing //, the local access condition 
is not available since it specifies access for the descendants rather than for the 
target path itself. 

In the example in Sect. 3.1, the access conditions of /a and /a/b are ‘true’ 
since the actions of R1 and R2 are both r. However, the access condition of /a/c 
is the predicate g>l which is the value-based condition imposed on c. 

4.3 Generating the Local Subtree Access Conditions 

The intuition for subtree access conditions is to combine both information on 
(i) the accessibility dependency from the root to the target path, and (ii) the 
ancestor-descendant relationship from the target path to an arbitrary descend- 
ing path. Only when both (i) and (ii) are satisfied can the nodes in the subtree 
be accessible. We use ancestor-or-self axis and descendant-or-self axis to 
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describe the structural relationship between ancestors and descendants. Algo- 
rithm 1 shows the subtree access condition generation when given the action A 
and the object T. In addition, in this section we address the case that predicates 
and // do not appear in the same T. 

Algorithm 1. Subtree access condition generation. 

If T contains //, then T can be represented as /ei//e n . 

if (T contains ’//’) then 
if (A is ’ +R’) then 

subtree access condition <— ancestor-or-self : : e n or 
descendant-or-self : :e n 
else if (A is ’+r’) then 

subtree access condition descendant-or-self : :e n 
else if (A is ’-R’) then 

subtree access condition <— not (ancestor-or-self :: e„) 

end if 

else 

if (A is ’ +Rd) then 

subtree access condition <— true 

else if (A is ’-Rd) then 

subtree access condition <— false 

else 

return // local subtree access condition is N/A 

end if 
end if 

According to the above algorithm, R4: (uid : Seki , -R, /a/b//e) in Sect. 3.1 
leads to a local subtree access condition not (ancestor-or-self : :e) stating 
that if the requested node is e below /a/b or has such an ancestor e, it is inac- 
cessible. Therefore, subtree access conditions enable access control on a path of 
any depth. 

4.4 Performing Propagation 

The propagation mechanism brings the local subtree access conditions to a wide 
descendant area. In our approach, propagation is performed by adding the local 
subtree access condition to both the access conditions and the subtree access 
conditions of the descending target paths. To reduce the runtime computation 
costs, at this step the propagated subtree access conditions are evaluated as to 
whether or not they are satisfied by the current descending target path. If so, 
the access conditions are rewritten as true or false based on the propagated 
access. 

4.5 Performing Expression Combination and Conflict Resolution 

Since the propagation mechanism transmits ancestral access to the descending 
target paths, multiple access conditions and subtree access conditions may apply 
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to each target path. Rather than simply connect all of the conditions with the 
Boolean operators and or or, we logically combine the access conditions into a 
Boolean expression. In addition, when access conflict happens, it is resolved with 
the denial-takes-precedence policy. 

In Example 1 of Sect. 3.1, after performing the four steps, two different sub- 
tree access conditions are imposed on / a/b. One is true specified by R2, the other 
is ancestor-or-self : :e specified by R4. According to the expression combi- 
nation, the subtree access condition is true and not (ancestor-or-self : :e), 
which can be rewritten to not (ancestor-or-self : :e). 

4.6 Enhanced Subtree Access Conditions 

In this section, we introduce a mechanism to handle the case where a predicate 
and the permitted propagation appear at the same time, which is not handled 
by the algorithm in Sect. 4.3. 

Suppose there is a P' containing a propagation permitted third rule that 
R3’:(uid:Seki, +R, /a/c[g>l]). Owing to propagation, R3’ implies the ac- 
cess to g and m should be decided by evaluating the predicate relative to c. There- 
fore, it is required to convert the predicate relative to c into the ones relative 
to c from the accessed descendants, such as . . Cg> 1] from g and . ./. . [g> 1] 
from m. It is obvious that the descendant at a different depth leads to a different 
relative predicate, and it is necessary to describe this non-deterministic relative 
relationship in a static way. 




- Black nodes: accessible nodes 

- Circled black nodes: value-based accessible nodes 

- White nodes: inaccessible nodes 

Fig. 2. The accessibility marked tree of P 1 



However, according to the denial downward consistency, we can say when 
c is accessible its descendants are all accessible if no other denial access is im- 
posed. Therefore, the non-deterministic relative relationship can be regarded as 
a value-based accessibility dependency on c in this example. Moreover, regard- 
less of the locations, all descendants below c can share the same value-based 
accessibility dependency. A system variable ref (target path) is used to rep- 
resent this dependency: if the value-based target path is evaluated accessible, 
then the descendant is accessible. 
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Fig. 2 shows the accessibility marked tree for P' in which arrows starting 
with g and m ending with ancestor c represent the accessibility dependency. 
The local subtree access condition of R3’ can be simply notated as ref (/a/c). 
Furthermore, the accessibility reference is also required when the object contains 
// with a predicate before, like (uid:Seki, +r, /a/b [f >1] //e) . Using the 
same mechanism, the local subtree access condition is therefore ref (/a/b) and 
descendant-or-self : :e. 

5 Experiments 

To validate the efficiency of the ACT, we ran a variety of experiments to see 
how our techniques perform. We measured view generation time, the time cost 
to generate the view of an XML document based on the policy, to compare the 
performance between our ACT-driven enforcement and a simple implementation 
without pre-computing access conditions. The purposes of the experiments are 
to see (i) how the policy size works on the view generation time, (ii) how the 
ACT performs comparing with the simple implementation, and (iii) how ACT 
performs when // appears. 

5.1 Experimental Data 

Experimental Environment. All experiments were run on a 3.06 GHz Xeon 
processor with 2.50 GB RAM. In this paper, we report on an XML document ob- 
tained from http://www.w3c.org, which was generated on the basis of xmlspec- 
v20.dtd, with a data size of almost 200 KB, 768 types of paths, and 4,727 nodes 
when represented as an XML tree. 

For simplicity in the experiments, we created policies for a single user. Nonethe- 
less, we can use multiple ACTs for multi-user scenario. Moreover, we ran compar- 
ison experiments for structure-based access control, but did not for value-based 
since the performance partly depends on the efficiency of the predicate evalua- 
tion. However, we can infer the performance from the results of our experiments. 



Access Control Policy Patterns: pattern-a and pattern-b. The access con- 
trol policies were not randomly generated. In particular, we guaranteed that no 
duplicated access was imposed on the inaccessible descendants, since ‘denial’ is 
already contained in the inaccessible ancestor according to the denial downward 
consistency. 

We generated the policy with accessible nodes as the object and +r as the 
action, and named it pattern-a access control policy. We also generated a cor- 
responding reverse version, pattern-b , that contained denial rules on the most 
ancestral node of each denial subtree. In addition, pattern-b also contains a grant 
rule specified on the root node with +R. Conceptually, pattern-a selects the acces- 
sible nodes from the inaccessible region while pattern-b selects the inaccessible 
nodes from an accessible region. Fig. 3 shows an example for the accessibility 
marked tree Tree, with the corresponding access control policies in pattern-a and 
pattern-b as shown in the figure. 
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Access control policy in pattem-a: 




(uid : 8eki. +r, /a) 
(uid:Seki, +r, /a/b) 
(uid'Seki, +r, /a/c) 



Access control policy in pattern-b : 



(uickSeki, +R, /a) 
(uid^Seki, -r, /a/d) 



Tree 



Fig. 3. Access control policies for Tree 



Access Control Policies. We generated 11 paired sets of the access control 
policies in pattern-a and pattern-b with an access ratio varying from 0.03 to 0.95, 
where the access ratio is the fraction of the accessible nodes in the XML structure 
tree. The XML structure tree is the one built by the set of the paths appearing in 
the XML document. Policy size is the number of rules in an access control policy. 
The policy sizes of these access control policies are different, as Fig. 4 shows. 
Since in pattern-a the greater the access ratio is, the more nodes are explicitly 



specified, the size of the policy increases proportionally. On the other hand, in 
pattern-b rather than listing up each inaccessible node, only those inaccessible 
ones with an accessible parent are specified denial access. Consequently, the size 
of pattern-b is much smaller than pattern-a and without a regular form. 

For the access control policies in both patterns, the size of the corresponding 
ACT is almost the same for each policy size, and thus Fig. 4 can be regarded as 
the chart for the ACT size. 

5.2 Experimental Results 

We show the advantages of the ACT through performance comparisons between 
the ACT-driven and a simple enforcement, which has a hash table structure 
storing the Subject , Object , and Permission Action introduced in Table 1. In 




800 



pattem-a 
■ pattem-b 



0 0.2 0.4 0.6 0.8 1 

Access Ratio 

Fig. 4. Policy Size versus Access Ratio in pattern-a and pattem-b 



Access-Condition- Tabic-Driven Access Control for XML Databases 



29 



the simple enforcement, each requested path is checked by evaluating the access 
control policies with Objects matched by the requested path. The check-skip 
mechanism introduced in Sect. 3.4 is also used by the simple enforcement. 




Access Ratio 

Fig. 5. View Generation Time versus Access Ratio 



Relationship Between the Policy Size and the View Generation Time. 

Fig. 5 respectively shows the view generation times of the simple enforcement 
(Simple) and the ACT-driven enforcement (ACT) for both pattern-a and pattern- 
b , when the access ratio is varied from 0.03 to 0.95. In addition, in the figure 
we also show the tree traversal time , which is the time required by traversing 
the entire DOM structure. Time costs on accessibility checks for both Simple 
and ACT are the results by subtracting the tree traversal times from the view 
generation times. 

From the figure, we can see that the chart of pattern-b is very similar to that 
of pattem-a in the trend: the larger the access ratio, the more time is required 
by Simple but ACT is almost constant. In particular, for pattern-a , when the 
access ratio is higher than 60%, ACT performs more than 4 times faster than 
Simple and when the access ratio is 95%, it reaches 5 times; while for pattern-b, 
Simple takes more than 2 times as long compared to ACT, while ACT shows 
quite slow growth. Furthermore, for the time costs on accessibility checks, which 
ignores the time of a DOM-based traversal, ACT performs much better than 
Simple that ACT is 11 ~ 15 times faster than Simple for pattern-a when the 
access ratio is higher than 60%, and approximately 4 times faster for pattern-b. 

In our experiments, a DOM-based traversal is used to retrieve paths from 
the XML document. However, other means of path retrievals may lead to less 
view generation times. Nonetheless, time costs on accessibility checks will not 
change for both ACT and Simple, which we have shown above. 

How ACT Performs for //. To illustrate the advantages of the ACT-driven 
access control specified with / /, we also ran experiments on the third set of 
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access control policy data. We converted 20%, 25%, and 33% percentage of 
access control rules in pattern-b into rules with objects containing a //. The 
results are quite similar to each other, and therefore we show only the 20% case 
in Fig. 6. 




Access Ratio 



Fig. 6. Simple versus ACT on // 



From the figure, we can see that ACT takes less time on view generation and 
the time increases slightly as the access ratio grows. In particular, ACT is faster 
than Simple by more than 3 times when the access ratio is 60% and by 5 times 
when 95%. Moreover, for the time costs on accessibility checks, ACT performs 
6 times faster than Simple at most. 

Our comparison experiment results show the ACT can perform almost con- 
stantly no matter with the policy size. And it is clear that the ACT-driven 
access control enforcement also shows advantages for //. The efficiency of the 
ACT is achieved with minimum computation costs by eliminating the processing 
of propagation and conflict resolution from the runtime. 

6 Conclusion and Future Work 

In this paper, we proposed an ACT-driven access control mechanism to provide 
efficient node-level access control. Using document- and schema-independent op- 
timization features, the ACT is capable of handling various XML database ap- 
plications without re-computation triggered by data and schema updates. In ad- 
dition, our approach shifts most of the extra computations to the pre-processing 
stage to save on the runtime costs, which yields efficient performance that it can 
provide structure-based access control nearly in constant time. 

On the other hand, some further research work is required. We have placed 
four limitations on access control policy, some of them can be resolved by XPath 
extension functions. Another important effort is to integrate the ACT approach 
with the static analysis method [24] in a well-balanced manner to improve ex- 
pressiveness and performance. 
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Abstract. Enterprise privacy enforcement allows enterprises to internally en- 
force a privacy policy that the enterprise has decided to comply to. To facilitate 
the compliance with different privacy policies when several parts of an organiza- 
tion or different enterprises cooperate, it is crucial to have tools at hand that allow 
for a practical management of varying privacy requirements. 

We propose an algebra providing various types of operators for composing and 
restricting enterprise privacy policies like conjunction, disjunction, and scoping, 
together with its formal semantics. We base our work on a superset of the syn- 
tax and semantics of IBM's Enterprise Privacy Authorization Language (EPAL), 
which recently has been submitted to W3C for standardization. However, a de- 
tailed analysis of the expressiveness of EPAL reveals that, somewhat surprisingly, 
EPAL is not closed under conjunction and disjunction. To circumvent this prob- 
lem, we identified the subset of well-founded privacy policies which enjoy the 
property that the result of our algebraic operations can be turned into a coherent 
privacy policy again. This enables existing privacy policy enforcement mecha- 
nisms to deal with our algebraic expressions. We further show that our algebra 
fits together with the existing notions of privacy policy refinement and sequential 
composition of privacy policies in a natural way. 



1 Introduction 

Not only due to the increasing privacy awareness of costumers, the proper incorporation 
of privacy considerations into business processes is gaining importance. Also regulatory 
measures like the Children’s Online Privacy Protection Act (COPPA) or the Health In- 
surance Portability and Accountability Act (HIPAA) illustrate that avoiding violations 
of privacy regulations is becoming a crucial issue. While the Platform for Privacy Pref- 
erences Project (P3P) [21] is a valuable tool for dealing with privacy concerns of web 
site users, the fine-grained treatment of privacy policies in business-to-business mat- 
ters is still not settled satisfyingly. E.g., a language for the internal privacy practices 
of enterprises and for technical privacy enforcement must offer more possibilities for 
fine-grained distinction of data users, purposes, etc., as well as a clearer semantics. To 
live up to these requirements, enterprise privacy technologies are emerging [9], One 
approach for capturing the privacy requirements of an enterprise - which however does 
not specify the implementation of these requirements - is the use of formalized enter- 
prise privacy policies [1 1, 17, 16]. 

P. Samarati et at. (Eds.): ESORICS 2004, LNCS 3193, pp. 33-52, 2004. 
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Although the primary purpose of enterprise privacy policies is enterprise-internal 
use, many factors speak for standardization of such policies. E.g., it would allow cer- 
tain technical parts of regulations to be encoded into such a standardized language once 
and for all, and a large enterprise with heterogeneous repositories of personal data could 
then hope that enforcement tools for all these repositories become available that allow 
the enterprise to consistently enforce at least the internal privacy practices chosen by the 
CPO (chief privacy officer). For these reasons, IBM has proposed an Enterprise Privacy 
Authorization Language (EPAL) as an XML specification, which has been submitted 
to W3C for standardization. EPAL allows for a fine-grained description of privacy re- 
quirements in enterprises and could become a valuable tool for (business) processes that 
span several enterprises or different parts of a larger organization. 

An enterprise privacy policy often reflects different legal regulations, promises 
made to customers, as well as more restrictive internal practices of the enterprise. Fur- 
ther, it may allow customer preferences. Hence it may be authored, maintained, re- 
placed, and audited in a distributed fashion. In other words, one will need a life-cycle 
management system for the collection of enterprise privacy policies. However, despite 
considerable advancement in this area, current approaches are based on monolithic and 
complete specifications, which is very restrictive given that several policies might have 
to be enforced at once while being under control of different authorities. Having in 
mind actual use cases where sensitive data obeying different privacy regulations has to 
be merged or exchanged, this situation calls for a composition framework that allows 
for integrating different privacy policies while retaining their independence. While such 
thoughts occur as motivation in most prior work on enterprise privacy policies, the few 
tools provided so far are not very expressive, and even intuitively simple operations 
have not been formalized yet. 

Motivated by successful applications of algebraic tools in access control [7, 24, 8, 
25], our goal is to provide an expressive algebra over enterprise privacy policies together 
with its formal semantics, offering operators for combining and restricting policies, 
along with suitable algebraic laws that allow for a convenient policy management. We 
do this concretely for the IBM EPAL proposal. However, for a scientific paper it is 
desirable to avoid the lengthy XML syntax and use a corresponding abstract syntax 
presented in [2,4] and known as E-P3P (which, like EPAL, is based on [17]). 

To employ existing privacy policy enforcement mechanisms to our algebraic expres- 
sions, it is necessary to represent the results of the operators as a syntactically correct 
privacy policy again. While achieving this representation has been identified as a core 
property in previous work on algebras for access control policies [7], and also explored 
there in detail, achieving the same result for enterprise privacy policies as in EPAL 
seems rather involved because of the treatment of obligations, different policy scopes, 
default values as well as a sophisticated treatment of deny-rules. In fact, our analysis 
of the expressiveness of EPAL shows that EPAL is not closed under operations like 
conjunction and disjunction, hence the aforementioned representation can often not be 
achieved. To circumvent this problem, we identify the set of well-founded policies, 
which constitutes a subset of all EPAL policies, for which we can give a constructive 
algorithm that represents the results of our algebraic operations as a well-founded EPAL 
policy again. 
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The first operators we define are policy conjunction and disjunction, which serve 
as the basic building blocks for constructing larger policies. For instance, an enterprise 
might first take all applicable regulations and combine them into a minimum policy by 
means of the conjunction operator. A general promise made to the customers, e.g., an 
existing P3P translated into the more general language, may be a further input. As one 
expects, these operators are not a simple logical AND respectively OR for expressive 
enterprise privacy policies for the reasons depicted above. We show that these operators 
enjoy the expected algebraic laws like associativity or distributivity. Our third operator 
- scoping - allows for confining the scope of a policy to sub-hierarchies of a policy. 
This is of major use in practice as it enables managing respectively reasoning about 
privacy requirements that involve only certain parts of an organization. 

We further sketch some extensions of our algebra; in particular, we incorporate the 
sequential composition of privacy policies, which has been introduced in [4], and we 
explore its relationship to our remaining operators. 

Further related literature. Policy composition has been treated before, in particular for 
access control [7,8, 10, 19, 15,26], systems management [20], separation-of-duty [23, 
13], or 1PSEC [12]. The algebra discussed below is clearly motivated by existing work 
on algebras for access control polices [7, 24, 8, 25]. We are not aware of a similar pro- 
posal for privacy policies although certain aspects have been addressed before, e.g., [18] 
points out possible conflicts if EPAL policies from different origins have to be dealt 
with. The publication closest to our algebra of privacy policies is [4], which introduces 
a notion of sequential composition of privacy policies as well as the notion of policy 
refinement. The present paper tries to extend this pool of algebraic tools. Compared 
with existing access-control languages, the core contribution of new privacy-policy lan- 
guages [ 1 1 , 1 7, 1 6] is the notion of purpose and purpose-bound collection of data, which 
is essential to privacy legislation. Other necessary features that prevent enterprises from 
simply using their existing access-control systems and the corresponding algebras are 
obligations and conditions on context information. Individually, these features were also 
considered in literature on access control, e.g., purpose hierarchies in [6], obligations in 
[5,14, 22], and conditions on context information in [26]. 

2 Syntax and Semantics of E-P3P Enterprise Privacy Policies 

Informally speaking, the aim of a privacy policy is to define by whom, for which pur- 
poses, and in which way collected data can be accessed. Further on, a privacy policy 
may impose obligations onto the organization using the data. Privacy policies formal- 
ize privacy statements like “we use data of a minor for marketing purposes only if the 
parent has given consent” or “medical data can only be read by the patient’s primary 
care physician”. This section mainly recalls the abstract syntax and semantics E-P3P 
[2,4] of IBM’s EPAL privacy policy language [1] up to some augmentations needed to 
achieve the desired algebraic properties, e.g., that obligations are already structured in 
a suitable way. Motivated by recent changes in EPAL, our specification of E-P3P de- 
viates from the one in [4] in the handling of so-called “don’t care” rulings: In analogy 
to EPAL 1.2, we only allow the default ruling to return a “don’t care”, and we demand 
that no obligations may be imposed in this case. 
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2.1 Hierarchies, Obligations, and Conditions 

First, we recall the basic notions of hierarchies, obligations, and conditions used in 
E-P3P, and operations on them as needed in later refinements and operators of our al- 
gebra. For conveniently specifying rules, the data, users, etc. are categorized in E-P3P 
as in many access-control languages. The same applies to the purposes. To allow for 
structured rules with exceptions, categories are ordered in hierarchies; mathematically 
they are forests, i.e., multiple trees. For example, a user “company” may group sev- 
eral “departments”, each containing several “employees”. The enterprise can then write 
rules for the whole “company” with exceptions for some “departments”. 

Definition 1 (Hierarchy). A hierarchy is pair ( //. > n) of a finite set H and a transi- 
tive, non-reflexive relation >h C HxH, where every h € H has at most one immediate 
predecessor {parent). A.? usual we write >h for the reflexive closure. 

For two hierarchies (H, >h) and ( G , >g), we define 

( H , >h) Q (G, >g) :•<=> (H C G) A ( >h C >g)\ 

(H, >h) U (G, >g) ■= (H U G, (>h U >g)*); 

where * denotes the transitive closure. Note that a hierarchy union is not always a 
hierarchy again. O 

As mentioned above already, E-P3P policies can impose obligations, i.e., duties for an 
organization/enterprise. Typical examples are to send a notification to the data subject 
after each emergency access to medical data, or to delete data within a certain time 
limit. Obligations are not structured in hierarchies, but by an implication relation. E.g., 
an obligation to delete data within 30 days implies that the data is deleted within 2 
months. The overall obligations of a rule in E-P3P are expressed as sets of individual 
obligations which must have an interpretation in the application domain. As multiple 
obligations may imply more than each one individually, the implication relation (which 
must also be realized in the application domain) is specified on these sets of obligations. 
We also define how this relation interacts with vocabulary extensions. 

Definition 2 (Obligation Model). An obligation model is a pair (O, — >o) of a set O 
and a transitive relation — >o C ‘P(O) x ^(O), spoken implies, on the powerset of O, 
where 0\ — >o 02 for all 02 C di, i.e., fulfilling a set of obligations implies fulfilling all 
subsets. For O' D *$( 0 ), we extend the implication to O' x (O) by ((di — *0 02) :< ^ 

(di n O >0 02)). 

For defining the AND and OR-composition of privacy policies in a meaningful way, 
we moreover assume that ^(O) is equipped with an additional operation V, such that 
(?P( 0 ), V, U) is a distributive lattice; the operator V reflects the intuitive notion of OR 
( in analogy to the set-theoretical union U which corresponds to AND). In particular, we 
require the following: 

- for all di , 02 C O we have b\ —>o (di V 02) 

- for all di, 02, oj, o' 2 C O we have (o\ — >0 02) A (o[ —>o o' 2 ) implies both (di V 
o[) —>o (02 V d' 2 ) and (di U o\) — >0 (02 U d' 2 ). 
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Finally, we assume that all occurring obligation models ( O , — »o) are subsets of a fixed 
(super) obligation model OMq = {Oq, — >o 0 ) such that — »o is the restriction of^>o 0 

to qj(O) x qj(O). O 

The decision formalized by a privacy policy can depend on context data like the age of 
a person. In EPAL this is represented by conditions over data in so-called containers 
[1]. The XML representation of the formulas is taken from [26], which corresponds 
to a predicate logic without quantifiers. In the abstract syntax in [2], conditions are 
abstracted into propositional logic, which is too coarse for our purposes. Hence, as in in 
[4] we use an extension of E-P3P formalizing the containers as a set of variables with 
domains and the conditions as formulas over these variables. 

Definition 3 (Condition Vocabulary). A condition vocabulary is a pair Var = 
(V, Scope) of a finite set V and a function assigning every x £ V, called a variable, a 
set Scope (x), called its scope. 

Two condition vocabularies Var i = (Vi , Scope f), Var 2 = (V 2 ,Scope 2 ) are com- 
patible if Scope x {x) = Scope 2 {x) for all x € V\ IT V 2 . For that case, we define their 
union by Vary U Var 2 := (Vi U V 2 ,Scope 1 U Scopef). O 

One may think of extending this to a full signature in the sense of logic, i.e., including 
predicate and function symbols - in EPAL, this is hidden in user-defined functions that 
may occur in the XACML conditions. For the moment, we assume a given universe of 
predicates and functions with fixed domains and semantics. 

Definition 4 (Condition Language). Let a condition vocabulary Var = (V, Scope ) 
be given. 

- The condition language C ( Var) is the set of correctly typed formulas over V us- 
ing the assumed universe of predicates and functions, and in the given syntax of 
predicate logic without quantifiers. 

- An assignment of the variables is a function x- V — > Ua-ey Scope(x) with x{ x ) € 
Scope (x) for all x € V. The set of all assignments for the set Var is written 
2lss( Var). 

- For x G 2lss( Var), let eval x : C(Var) —> {true, false} denote the evaluation 
function for conditions given this variable assignment. This is defined by the un- 
derlying logic and the assumption that all predicate and function symbols come 
with a fixed semantics. 

- For x € 2lss( Var), we denote by c x G C{Var) some fixed formula such that 
eval x (c x ) = true and eval x fc x ) = false for all x' G 2tss( Var) \ {x}. 

We do not consider partial assignments as is done in [4] since they do not occur in EPAL 

1.2 any more. 

2.2 Syntax of E-P3P Policies 

An E-P3P policy is a triple of a vocabulary, a set of authorization rules, and a default rul- 
ing. The vocabulary defines element hierarchies for data, purposes, users, and actions, 
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as well as the obligation model and the condition vocabulary. Data, users, and actions 
are as in most access-control policies (except that users are typically called “subjects” 
there, which in privacy would lead to confusion with data subjects), and purposes are 
an important additional hierarchy for the purpose binding of collected data. 

Definitions (Vocabulary). A vocabulary is a tuple Voc = ( UH , Dll , PH . A // , 
Var , OM ) where UH, DH, PH, and AH are hierarchies called user, data, purpose, 
and action hierarchy, respectively, and Var is a condition vocabulary and OM an obli- 
gation model. O 

As a naming convention, we assume that the components of a vocabulary Voc are al- 
ways called as in Definition 5 with UH = (U, >u), DH = ( D , >d), PH = (P, >p), 
AH = ( A , > J 4 ), Var = (V, Scope), and OM = (O,— >o)> except if explicitly stated 
otherwise. In a vocabulary Voct all components also get a subscript i, and similarly for 
superscripts. Differing from [4] we require that a set of authorization rules (short rule- 
set ) only contains authorization rules that allow or deny an operation, i.e., we do not 
allow rules which yield a “don’t care” ruling. This reflects the latest version of EPAL. 
Further on, motivated by EPAL’s implicit handling of precedences through the textual 
order of the rules, we call a privacy policy well-formed if rules which allow for contra- 
dicting rulings do not have identical precedences (actually, in EPAL two rules can never 
have identical precedences). 

Definition 6 (Ruleset and Privacy Policy). A ruleset /or a vocabulary Voc is a subset 
ofZxU x D x P x Ax C( Var) x <p(0) x {+, -}. 

A privacy policy or E-P3P policy is a triple ( Voc , R, dr) of a vocabu- 
lary Voc, a rule-set R for Voc, and a default ruling dr £ {+, o, — }. The 
set of these policies is called EP3P, and the subset for a given vocabulary 
EPSP(Voc). Moreover, we call (Voc, R, dr) € EP3P well-formed, if for all rules 
(■ i , u, d,p, a, c, b, r), ( i , u ' , d! ,p' , a' , d , o', d) £ R with identical precedences and for 
all assignments x G 2lss( Var) the implication ( cval x (c ) = true = eval x (d)) => 
(r = d) holds. O 

The rulings +, o, and — mean “allow”, “don’t care”, and “deny”; the value o is special 
in the sense, that it can only be assigned to the default ruling of a policy. As a naming 
convention, we assume that the components of a privacy policy called Pol are always 
called as in Definition 6, and if Pol has a sub- or superscript, then so do the components. 

2.3 Semantics of E-P3P Policies 

An E-P3P request is a tuple (u, d, p, a) which should belong to the set UxDxPxA for 
the given vocabulary. Note that E-P3P and EPAL requests are not restricted to “ground 
terms” as in some other languages, i.e., minimal elements in the hierarchies. This is use- 
ful if one starts with coarse policies and refines them because elements that are initially 
minimal may later get children. For instance, the individual users in a “department” of 
an “enterprise” may not be mentioned in the CPO’s privacy policy, but in the depart- 
ment’s privacy policy. For similar reasons, we also define the semantics for requests 
outside the given vocabulary. We assume a superset S in which all hierarchy sets are 
embedded; in practice it is typically a set of strings or valid XML expressions. 




An Algebra for Composing Enterprise Privacy Policies 



39 



Definition 7 (Request). For a vocabulary Voc, we define the set of valid requests as 
R.eq{ Voc) := UxDxPxA. Given a superset S of the sets U , D , P , A of all considered 
vocabularies, the set of all requests is Req := S 4 . 

For valid requests (it, d,p, a), (it', d',p', a') £ Req( Voc ) we set 

(it, d,p, a) < (u , d',p', a) :<£> u <jj u and d <p> d' and p <p p and a <a a . 

Moreover, we set (u,d,p,a) <1 {u' ,d' ,jf ,a') if and only if there is exactly one x £ 
{it, d,p, a } such that x' is the parent of x and for all y £ {it, d,p , a} \ {x} we have 
y = y' . Finally, we refer to a valid request (it, d, p, a) £ Req( Voc ) as leaf or leaf node 
if u, d,p, and a are leaves in the respective hierarchy. We denote the set of all leaves of 
Req( Voc ) bv L( Voc ) and for q £ Req( Voc), we set L(q , Voc) := {q' £ L( Voc) \ q' < 

' ' o 

The semantics of a privacy policy Pol is a function eval p 0 i that processes a request 
based on a given assignment. The evaluation result is a pair (r, o) of a ruling (also 
called decision ) and associated obligations; in the case of a “don’t care”-ruling (r = o) 
we necessarily have d = 0, i.e., no obligations are imposed in this case. Our semantics 
follows the E-P3P semantics in [4], but we restrict our definition to the (from the prac- 
tical point of view most relevant) case of well-formed policies, which simply avoids a 
separate treatment of conflicts among rules. We further permit the exceptional ruling 
scope-error which indicates that a request was out of the scope of the policy. 

The semantics is defined by a virtual pre-processing that unfolds the hierarchies 
followed by a request processing stage. We stress that this is only a compact definition 
of the semantics and not an efficient real evaluation algorithm. 

Definition 8 (Unfolded Rules). For a privacy policy Pol = ( Voc , R, dr), the unfolded 
rule set UR(Pol) is defined as follows: 

URD(Pol) := {(z, v ! , d! ,p' , a ' , c, o, r) £ R \ 3 (i, u , d,p, a , c, o, r) £ R 
with u >u u A d >p> d' A p >p p A a >a a ! }; 

UR(Pol) := URD(Pol) 

U {(z, u', d',p', a 1 , c, o, — ) £ R \ 3(i, u, d,p, a, c, o, — ) £ URD(Pol) 
with u' >u u A d! >d d Ap' >p p A a' >a a}. O 

A crucial point in this definition is the fact that “deny”-rules are inherited both down- 
wards and upwards along the four hierarchies while “allow”-rules are inherited down- 
wards only. The reason is that the hierarchies are considered groupings: If access is 
forbidden for some element of a group, it is also forbidden for the group as a whole. 

Next, we define which rules are applicable for a request given an assignment of the 
condition variables. These (unfolded) rules have the user, data, purpose, and action as 
in the request, and we make 

Definition 9 (Applicable Rules). Let a privacy policy Pol = ( Voc, R, dr), a request 
q = (it, d,p, a) £ Req( Voc), and an assignment \ £ 2tss( Var) be given. Then the set 
of applicable rules is 

AR(Pol, q , x) := {(*, u, d,p, a, c, o, r) £ UR(Pol) \ eval x (c) = true}. 



O 
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To formulate the semantics, it is convenient to define the maximum and minimum prece- 
dence of a policy. 

Definition 10 (Precedence Range). For a privacy policy Pol = ( Voc, R, dr), let 
max(Pol) := max{« | 3 (i,u,d,p,a,c,d,r) € R} and min(Pol) := min{z | 3 (i,u, 
d,p,a,c,d,r) £ R}. O 

We can now define the actual semantics, i.e., the result of a request given an assignment: 

Definition 11 (Semantics). Let a well-formed privacy policy Pol = ( Voc , R, dr), a 
request q = (■ u,d,p,a ) £ Req, and an assignment x G 2Lss( Var) be given. Then the 
evaluation result (r, o) := evalp 0 i(q,x) of policy Pol for q and x ts defined by the 
following algorithm, where every “return” is understood to abort the processing of the 
algorithm. 

1 . Out-of-scope testing. If q £ Req(Voc), return (r, o) := ( scope-error , 0). 

2. Processing by precedence. For each precedence level i := max(Pol) down to 
min(Pol): 

- Accumulate obligations. o acc := U(i, U) d, P ,o ! c,5,r)eAfl(p 0 j 1 , lX ) 5 

- Normal ruling. If some rule ( i , u, d, p, a, c, o, r) £ AR(Pol, q, x) exists, return 
(c , o acc ). 

3 . Default ruling. If this step is reached, return (r, o) := (dr, 0). 

We also say that policy Pol rules (r, o) for q and x> omitting q and x if they are clear 
from the context. O 

2.4 Refinement and Equivalence of Well-Formed Privacy Policies 

Basically, refining a policy Pol means adding more details to it, i.e., enriching the vo- 
cabulary and/or the set of rules without changing the meaning of the policy with respect 
to its original vocabulary. To be useful for actual use cases, it is essential that operators 
defined on privacy policies behave in a well-specified and an “intuitive” manner with 
respect to refinement relations. Thus, before we can make concrete statements about 
the refinement properties of the operators introduced in the next section, we need some 
additional terminology, and end this section with recalling some definitions from [4]. 

Definition 12 (Compatible Vocabulary). Two vocabularies Voc\ and Vocy are com- 
patible if their condition vocabularies are compatible and UH\ U UH2,DHi U 
DH 2 , PH i U PH 2, AH i U AH 2 are hierarchies again. O 

The notion of compatible vocabularies is a technicality that turns out to be necessary to 
specify operations that combine different policies which are not necessarily formulated 
in terms of identical vocabularies, and this leads to 

Definition 13 (Union of Vocabularies). The union of two compatible vocabularies 
Voci and V0C2 is defined as Voc\ U V0C2 := (UH\ U UH2,DH\ U DH2,PH\ U 
PH2, AH 1 U AH 2 , Var 1 U Var2, OM), where OM = (O, — >0) w the obligation 
model with the lattice (tp(O), V, U) being generated by ‘P(Oi) and O2 ), and — *0 

being the restriction o/^o 0 r ° ! P(O)x < P(O). O 




An Algebra for Composing Enterprise Privacy Policies 



41 



Next, we need the refinement of obligations whose definition requires some care, as a 
refined policy may well contain additional obligations, whereas at the same time some 
others have been omitted. As consequence of this observation, the definition of refine- 
ment of obligations makes use of both obligation models, that of the original (coarser) 
policy and that of the refined policy: 

Definition 14 (Refinement and Equivalence of Obligations). Let two obligation 
models (0$,— >o<) otid bi C Oi for i = 1,2 be given. Then o 2 is a refinement of 
0\, written o 2 A bi if and only if the following holds: 

3d C Oi n 0 2 : o 2 >o 2 d — >Oi Oi- 

We call di and o 2 equivalent, written oi = o 2 , if and only if di A o 2 and o 2 A 01. 
Forr\,r2 € {+,— , 0 , scope -error}, we further define (ri,di) = (r 2 ,o 2 ) if and only if 
ri = r 2 and 01 = o 2 . O 

We can now formalize the notion of (weak) refinement of well-formed policies. Our 
definition of refinement closely resembles the one presented in [4], but it excludes par- 
tial assignments and conflict errors, which are not supported by the latest EPAL version. 
The notion of weak refinement has not been introduced before. 

Definition 15 (Policy Refinement). Let two well-formed privacy policies Pok = 
( Voci, Ri , dri) for i = 1,2 with compatible vocabularies be given, and set Pol* = 
(Voc*,Ri, drf) for i = 1,2 where Voc* := (UH 1 U UH 2 ,DH 1 U DH 2 ,PH 1 U 
PH 2 ,AH 1 \JAH 2 , Van, OMi). 

Let ri, r 2 € {+, — , o, scope-error} and di C Oifor i = 1,2 be arbitrary. We say 
that (r 2 ,o 2 ) refines (r i,bi) (in OM\ and OM2), written (r 2 ,b 2 ) A (ri,di), if and 
only if one of the following two conditions holds 

(1) (ri,oi) G {(scope_error,0),(o,0)} (2) n G {+,-}, r 2 = n, o 2 A Oi. 

We say that (r 2 ,b 2 ) weakly refines (ri,Oi) (in OM 1 and OM2), written 
(r2, o 2 )-<(ri, bi), if and only if one of the following three conditions holds: 

(1) (r 2 ,d 2 ) A (ri,oi) (2) n = +,r 2 = - (3) (n, di) = (+, 0), r 2 = o. 

We call Pol 2 a refinement of Pol 1, written Pol 2 A Pol 1 if and only if for every as- 
signment x G 2lss(Vari U Var 2 ) and every authorization request q G Req, we have 
eval p 0 i * ( q , x) A eval p 0 p ( q , x). We call P0I2 a weak refinement of Pol 1 i/the same 
holds with A replaced by A. O 

Intuitively, a privacy policy that weakly refines another policy is at least as restrictive 
as the coarser one: Even if the original policy rules “allow” for a certain request, after a 
weak refinement the same request may be denied, or - provided that no obligations get 
lost - an “allow” can be transformed into a “don’t care”. 

Finally, the equivalence of two well-formed privacy policies is defined in the obvi- 



ous manner: 
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Definition 16 (Policy Equivalence). Two well-formed privacy policies Poll and Pol 2 
are called equivalent, written Pol 1 = Pol 2, if and only if they are mutual refinements, 
i.e., Poll = P0I2 :<£=> (Pol 1 P0I2 A P0I2 -< Poh). O 

While this notion of policy equivalence is rather intuitive, it turns out that in some sit- 
uations only a weaker form of equivalence can be achieved, and we therefore conclude 
this section with the definition of weak policy equivalence. 

Definition 17 (Weak Policy Equivalence). Two well-formed privacy policies Pol 1 
and P0I2 are called weakly equivalent, written Pol 1 « P0I2, if and only if they 
are equivalent on their joint vocabulary, i.e., if and only if (Voc 1 U V0C2 , R \ , dr-fi 
= ( Voci U Voc 2 , R2, dr 2)- O 



3 Defining Operators 



Basically, defining symmetric operations on privacy policies reflecting the intuitive no- 
tions of conjunction (AND) and disjunction (OR) looks rather simple. Unfortunately, 
with a straightforward yet intuitive approach it happens that the conjunction or disjunc- 
tion of two privacy policies might no longer constitute a syntactically correct privacy 
policy. From a practical point of view such a behavior is not desirable: First, available 
tools to enforce a(n EPAL) privacy policy are designed to handle privacy policies only. 
Thus, to handle compositions of privacy policies these tools had to be modified or new 
tools had to be developed. The obvious solution to this problem - making use of a 
wrapper program that queries several policies by means of existing tools and combines 
their results appropriately - is not always acceptable. In particular such a workaround 
might violate conditions that were necessary to pass some (expensive) certification pro- 
cess. Secondly, the combined privacy policies can originate in rather different sources 
which are separated though significant geographical distances. Consequently, in larger, 
say multinational, projects, where policies of many different organizations have to be 
combined, it can be infeasible or at least very inconvenient to store all (component) 
policies that contribute to the ruling of the composition. 

To circumvent these problems, it is desirable to work in a subset of EP 3 P that is 
on the one hand closed under conjunction and disjunction as well as other suitable al- 
gebraic operations, and on the other hand is still expressive enough to capture typically 
used privacy policies. The following lemma, whose proof we omit due to lack of space, 
characterizes the expressiveness (and therewith also limits) of E-P3P policies. 

Lemma 1 (Expressiveness of E-P 3 P). Let Voc be a vocabulary and {p: Req( Voc) x 
2lss (Var) — * {+, 0 ,—} x %l{ 0 } be an arbitrary function. Then there exists a well- 
formed privacy policy Pol = (Voc, R, dr) with evalp 0 i(q,x) — ¥>(<?, x) f or 
(q,X) £ Req(Voc) x 21 ss(Var) if and only if for all valid requests q € Req(Voc) 
and all assignments \ £ 2 tss( Var), the following four conditions are satisfied: 

1 ■ <p(q, X) = (+, b) => Vq' < q : <p(q', \) = (+, o') (possibly with o' ± 0). 

2 - V(qi X) = (-, b) => Vq' > q : ip(q', \) = (-, o') (possibly with o' ^ 0). 
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3. ip(q, x) = ( — , o) implies that one of the following conditions holds: 

(a) q £ L( Voc), 

(b) 3 q' <1 q : ip(q' , x) = (+, o') (possibly with o' f o), 

(c) 3 C C {q' < i q,(p{q',x) = (-,o<?')} : C / 0 A o' = U^ec^'- 

4. 7/V(g, x) = (°) b), then o = 0. □ 



3.1 Conjunction, Disjunction and the Non-closedness of EPAL 



Unlike in typical access control settings, for defining the conjunction and disjunction 
of privacy policies, we have to take care of the “don’t care’’ ruling o, whose semantics 
is different from both “allow” and “deny”. Motivated by the intuition behind the ruling 
o, we decided for definitions that are in analogy to the conjunction and disjunction in 
a three-valued Lukasiewicz logic L3. To handle the obligations, we use the operator V 
provided by the obligation model. 



AND 

(+>o) 

(-»o) 

(0,0) 



(+,d') (-,5') (o,0) 

(+, o U o') (— , o') (o,0) 

(-,0) (— , o U o') (— , o) 

(o,0) (-o') (o,0) 



OR 

(+> °) 
(->0) 
(o,0) 



(+,d') (-o') (0,0) 

(+, o V o') (+, o) (+,o) 

(+,d') (-,dVd') (o,0) 

(+,d') (o,0) (o,0) 



Intuitively, we do not want to give a positive answer to a request if one of the two 
policies that are to be combined by AND denies the access. Further on, if one policy 
allows the access, and the other one “does not care”, then returning a “don’t care” seems 
plausible and is indeed needed to ensure the distributivity of the operators AND and 
OR. Similarly, for OR we allow an access, if at least one of the two involved policies 
allows the request. Moreover, we “do not care”, if one of the operands “does not care” 
- except if the other operand explicitly “allows” the request. 

Lemma 2. Fix some obligation model and denote by (fp(O), V, U) the corresponding 
lattice of obligations. Then (({+, — } x fp(O)) U {(o, 0)}, OR, AND) is a distributive 
lattice. □ 



We omit the proof of this and most of the subsequent lemmas due to space limitations 
and refer the reader to the long version of this paper [3], 

The natural definition of conjunction of two privacy policies Pol 1 and Pol 2 would 
be that whenever Poll rules (r*, of) for a given assignment and request, then the con- 
junction of Pol 1 and P 0 I 2 should yield (n, of AND (r2, 02), and similar for disjunc- 
tion. However, an easy corollary of Lemma 1 yields that such a policy is not necessarily 
a valid EPAL policy anymore, i.e., EPAL is neither closed under conjunction nor under 
disjunction given the above definitions. 

Corollary 1 (Non-closedness of EPAL). There exist policies Pol \ . Pol 2 such that 
for any policy Pol, we have that there exists an assignment x £ 21sb( Far 1 U 
Varf) and a request q £ Req(V oc\ U V 0 C 2 ) such that evalp 0 i(q,x) ^ 
evalpoifq, x) op eval Po i 2 (q, x) where op £ {AND, OR}. □ 

Proof. For showing the statement for conjunction, we consider the policies depicted at 
the left-hand side of Figure 1. Let Poll for i = 1,2 such that each of DM,, PHi, AHi 
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Fig. 1. Examples that EPAL is not closed under conjunction or disjunction. 



consists of a single element, and let UHi contain two elements u \ , 1.1,2 such that u \ is 
a parent of u^- Further assume that the condition vocabulary and the obligation model 
are empty. The rules in Pol 1 allow user u 2 to access the data whereas u\ is forbidden 
to do so. The rules in Pol-2 don’t care for both users. The conjunction would then yield 
a policy in which u\ is not allowed to access the data whereas the policy does not care 
for U2- This immediately yields a contradiction to Lemma 1 . The claim can be shown 
similarly for disjunction and the policies depicted at the right-hand side of Figure 1 . ■ 

It is is easy to see that adapting the definition of AND and OR in obvious ways (like 
redefining the occurrences of o) does not solve this problem without violating other 
essential conditions, e.g., the distributivity of the operators. As a remedy we identify 
the subset of well-founded privacy policies in the next section, which allows for a very 
intuitive handling in terms of defining conjunction and disjunction of privacy policies. 
Actually, for practical cases, the restriction to those privacy policies is not really an 
obstacle, and in the next section we take a closer look at such policies. 

3.2 Well-Founded Privacy Policies 

The intuition underlying the notion of well-founded policies can be described as fol- 
lows: 

- Suppose the ruling specified for some group is “deny”, but none of the group mem- 
bers is denied from accessing the respective data. Then this contradicts the idea 
that in EPAL the group ruling is to reflect (“to group”) the rulings of the individual 
group members. 

- If each member of a group is permitted to perform some action, then intuitively the 
group as a whole is permitted to perform this action, too. 

- Assume that both the ruling specified for a group and for a member of this group is 
“allow”, and assume further that the obligations of the group are not a superset of 
the obligations of the group member. Then the group member may be able to avoid 
certain obligations by submitting a query where the user is specified to be the group 
as a whole. Typically, the availability of such a “workaround” is not desirable. On 
the other hand, if the obligations of the group are stricter than the union of the 
obligations of the group members and we (re)define the group obligations to be the 
union of the individual obligations then no harm (in the sense that a group member 
can gain additional privileges) is caused by querying the group. 

Formally, well-founded policies are captured as follows: 
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Definition 18 (Well-Founded Policy). Let Pol be a well-formed policy. Then we call 
Pol well-founded if and only if for all (q,x) G Req(Voc) x 2ls s(Var) the following 
conditions are fulfilled: 

- If q is no leaf node and eval p 0 i(q , x) = ( — , o), then there exists q' <1 q such that 
evalpofiq' ,x) = (— ,o') for some o' . 

- If eval poi (q r ,x) = (+,cy) for each q' <1 q and arbitrary o q ', then 

evalpoi(q,X ) = (+, o) for some o. 

- If eval pd (q, X ) = (u o), then o = U,'< 1 g,e»ot PoI (,',x)=(r,5') o'- ° 

Up to equivalence, well-founded policies are already uniquely determined by the rulings 
of the leaf nodes: 

Lemma 3. Let Pol i, Pol 2 be well-founded privacy policies with Voc\ = Voc 2 and let 
evalp 0 i 1 (q,x ) = evalp 0 i 2 (q,x) f or every q G L(Voc\) and every x G 2lss(Vari). 
Then Poll = Pol 2 - □ 

Actually, the predetermined allow and deny rulings for the set of leaf nodes can be cho- 
sen arbitrarily. The subsequent algorithm demonstrates how in principle a well-founded 
policy can explicitly be written down that is consistent with any predetermined set of 
rulings for all leaf nodes. Note however that the algorithm does not aim at generating 
small policies; optimizing it for practical purposes is considered as future work. 



Input: • a vocabulary Voc and 

• a ruling (r q>x , o,, x ) G ({+, -} x <P(0)) U {(o, 0)} 
for all q G L( Voc),x £ 2lss (Var). 

Output: a well-founded privacy policy Pol = ( Voc , i?, dr) such that for all 

q G L(Voc),x G 2ls s(V ar) the equality evalp Q i{q,X ) = ( r <?,x>o<7,x) holds. 



/ * Assign identical precedences to leaf rulings different from (o, 0) * / 

R:=0 

for each q := (it, d,p 1 a) G L( Voc) 
if ( r q,x> 7 ^ (°>0) 

then R := R U {(0, u, d,p, a, c x , o qa , r qa )} (1) 

end if 
end for 

/ * Insert missing positive rulings with low precedence * / 
for each \ £ 2lss( Var) and each q := ( u,d,p,a ) G Req(Voc) do 
if ry iX = + for all q' G L{q , Voc) 

then R:=RU{(i, u, d,p, a, c x , \J q ,^ L(q ^ Voc) cy , x )} (2) 

such that i <i' 

for all (if u ' , d' ,p ' , a', d , +, o') G i? : q > (u ' , a') 

end if 
end for 

return ( Voc, i?, o) 
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Lemma 4. The above algorithm is totally correct, i.e., it terminates and for inputs as 
specified in the algorithm, it computes a policy as specified in the output description. □ 

3.3 Conjunction and Disjunction of Privacy Policies 

We now define the conjunction and disjunction of two well-founded privacy policies. 
From Lemma 3 we know that it is sufficient to define the operations for those requests 
that are leaves of the considered hierarchies since once the evaluations on the leaves 
are fixed, the corresponding privacy policy is, up to equivalence, uniquely determined. 
With the algorithm in Section 3.2 we can then explicitly compute a policy that is con- 
sistent with the given evaluations of the leaf nodes. However, to make definitions of the 
operators independent of an algorithmic specification, we will formulate the actual defi- 
nitions in such a way that the result of a conjunction/disjunction of two privacy policies 
constitutes an equivalence class of policies - not a specific privacy policy. For practical 
purposes this is not really a problem as we can, e.g., use the algorithm from Section 3.2 
to derive a concrete policy from the equivalence class. 

The motivation for defining an AND operation on privacy policies is rather straight- 
forward: Assume that an enterprise takes part in some project for which data has to be 
accessed and processed that is controlled by some external project partner. Then the 
access to and processing of such data shall only be allowed, if none of the individual 
privacy policies of the participating enterprises is violated. 

Definition 19 (Policy Conjunction). Let Pol i, Pol 2 be two well-founded privacy poli- 
cies such that Pol* = (Voc * , Ri, dri) for i = l, 2 with Voc* := (UH iU UH 2, DH iU 
DH 2, PH 1 U PH 2, AH 1 U AH 2 , Vari, OMf) are also well-founded privacy policies. 

Then the conjunction of Poll and P0I2, is the equivalence class (w. r. t. =) of all 
well-founded privacy policies Pol on the joint vocabulary Voc := Foci U Voc 2 such 
that for all leaf nodes q € L(Voc) and for all assignments \ € ^Lss(Var) we have 
(ri,oi) = (r 2 , 02), where 



(ri,Oi) := evalpoi{q,X ) 

(r 2 ,o 2 ) := evalp 0 i* (q, x) AND eval Po q(q,x)- 

By Poh&Poh we denote any representative of this equivalence class ( which can, e.g., 
be computed by means of the algorithm in Section 3 . 2 ). O 

Note that this definition only imposes conditions on the leaf nodes, hence the question 
arises to what extent “inner” queries obey the defining table for AND, too. Indeed, the 
desired relations are fulfilled for arbitrary queries: 

Lemma 5. Let Pol 1, P0I2 be well-founded privacy policies that satisfy the require- 
ments of Definition 1 9 and let Pol = Pol 1 & Pol2- Then for all requests q € Req( Voc) 
and for all assignments x G 2lss( Var) we have the equivalence eval p 0 i(q,x) = 
eval p 0 i * ( q , %) AND eval p 0 i * ( q , x) with Pol* as in Definition 19 . □ 

Similar to conjunction, the disjunction of privacy policies is essential for a variety of use 
cases. For example, consider two departments of an enterprise that cooperate in some 
project. For carrying out this project, it should then be possible to access data items 
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whenever one of the individual privacy policies of the two departments grants such an 
access. This idea of “joining forces” is captured by the following definition. 

Definition 20 (Policy Disjunction). Let Poll, P 0 I 2 be two well-founded privacy poli- 
cies such that Pol* = (Voc * , Ri, drf) for i = 1,2 with Voc* := (UH \ U UH 2 , DPli U 
DH 2l PH 1 U PH 2 , AH 1 U AH 2 , Vari, OMf) are also well-founded privacy policies. 

Then the disjunction of Poll and Pol 2 is the equivalence class (w.r.t. =) of all 
well-founded privacy policies Pol on the joint vocabulary Voc := Voci U V 0 C 2 such 
that for all leaf nodes q £ L( Voc) and for all assignments \ € 2lss( Var) we have 
(ft, dt) = (f 2 , d 2 ) where 

(ft, hi) := evalpoi(q,X ) and 

(f 2 , b 2 ) := eval Po i*(q,x) OR eval Po q(q,x)- 

By Poll + Pol 2 we denote any representative of this equivalence class (which can, e.g., 
be computed by means of the algorithm in Section 3.2). O 

Unfortunately, for the disjunction of privacy policies, we have no analogue to Lemma 5, 
i.e., in general we cannot achieve an equivalence of the form evalp 0 i(q,X ) = 
eval p 0 i * ( q , %) OR eval p 0 i * ( q , x) f° r arbitrary requests q and assignments X- In fact, it 
is not difficult to construct examples where imposing such a “node-wise equivalence” 
yields a contradiction to well-foundedness. Fortunately, also for the “inner nodes” the 
policy obtained by disjunction is still rather close to what one would expect intuitively: 

Lemma 6. Let Pol 1 , Pol 2 be well-founded privacy policies that satisfy the require- 
ments of Definition 19 and let Pol = Poll + Pol 2 . Then for all q £ R.eq(Voc) such 
that evalpoi(q,x) = (~,o) or eval Po q(q,X ) OR eval Po i*(q,x) = (+,b) holds for 
some o, we have eval Po q (q, x) OR eval Po i * (q, x) -< eval Po i(q, x)- D 

3.4 Scoping of a Privacy Policy 

One of the most desirable operations in practice is to restrict the scope of a policy, i.e., 
to restrict large policies to smaller parts. Examples for this so-called scoping are om- 
nipresent in practical policy management, e.g., deriving a department’s privacy policy 
from the enterprise’s global privacy policy, or considering only those rules that specifi- 
cally deal with marketing purposes. Formally, we define the following scoping operator: 

Definition 21 (Scoping). Let Pol be a well-founded privacy policy and let V := 
(UH 1 , DH ' , PH ' , AH') where UH' , DH', PH', and AH' are arbitrary subhierar- 
chies of UH, DH, PH, AH, respectively. 

Then the scoping of Pol with respect to V is the equivalence class (with re- 
spect to =) of all well-founded privacy policies Pol' on the vocabulary Voc' := 
(UH ' , DH ' , PH ' , AH ' , Var, O M) such that for all leaves q £ L(Voc') and for all 
assignments x €E 2fss( Var) we have 

eval Pou (q, x) = eval Po i(q,x)- 



By Pol \v we denote any representative of this equivalence class (which can, e.g., be 
computed by means of the algorithm specified in Section 3.2). O 
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Ideally, scoping would yield a privacy policy such that not only for the leaf nodes, but 
also for the “inner” requests we always obtain equivalent rulings from Pol and Pol \y. 
However, in general this contradicts the well-foundedness of the privacy policy derived 
via scoping unless additional assumptions on the considered hierarchies are imposed: 

Example 1. Consider a well-founded privacy policy Pol such that each of DH, PH, 
AH consists of a single element. For the sake of simplicity assume that the condi- 
tion vocabulary is empty, and let UH contain three users uo, u\, 1 / 2 ■ The rules in 
Pol allow user u\ to access the data with obligations di , and user U 2 can access the 
data with obligations 02 . Finally the “superuser” uq - the parent of u\ and U 2 in the 
user hierarchy UH - can access the data with obligations d\ U 02 to ensure the well- 
foundedness of Pol. If we scope this policy w. r. t., {{uq,u\} , DH, PH, AH), then 
user Mi can still access the data with obligations b \ , but due to the well-foundedness 
of PoI\({ U0 ' Ui },dh,ph,ah), n °w the superuser uq can also access the data with obliga- 
tions di, in other words the obligations 02 are “lost”. 

However, even without imposing additional constraints on the considered hierarchies, 
we can exploit the well-foundedness of the policies to establish the following lemma: 

Lemma 7. Let Pol be a well-founded privacy policy with vocabulary Voc and V := 
( U H' , DH' , PH' , AH ' ) a tuple of subhierarchies ofUH, DH, PH, AH, respectively. 
Then Pol<Pol\v ■ □ 

In dependence on the precise kind of scoping considered, even stronger preservation 
properties can be proven, e.g., if the scoped policy is well-founded again then we obtain 
equivalent rulings also for inner requests. This is the case if we for instance apply a 
scoping operation under which the leaf requests are invariant, i.e., if the considered 
vocabularies are non-appending. Albeit this looks rather restrictive from a theoretical 
point of view, for the kind of scoping needed in practice - say extracting a department’s 
privacy policy from an enterprise’s privacy policy - this requirement is often met. 

Lemma 8. Let Pol be a well-founded privacy policy, and V := {UH' , DH' , PH' , 
AH') a tuple of subhierarchies of UH, DH, PH, AH, respectively, such that 
for Voc! := {UH' , DH' , PH' , AH' , Var,OM) and all q £ Req{Voc'), we have 
L{q , Voc) = L{q, Voc'). Then for all q £ Req{ Voc') and for all assignments 
X £ 2lss( Var) we have eval Pol {q , \) = eval Pol \ v {q, x). □ 

3.5 Further Extensions of the Algebra 

There are certainly further operators one would like to add to the set of available tools. 
From a practical point of view, it is in particular desirable that the operators discussed 
in this paper can be combined with the sequential form of composition of E-P3P poli- 
cies proposed in [4]. Since we try to stay close to the latest version of EPAL that has 
been submitted to W3C for standardization, the E-P3P variant underlying [4] is slightly 
different from the variant that we consider here, hence some care has to be taken in 
combining operations/results from [4] and the ones presented above. Fortunately, car- 
rying over the operator for sequentially composing privacy policies from [4] - there 
called ordered composition - to the situation considered here is straightforward. 
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As a technical tool, [ 4 ] introduces policies with removed default rulings, which 
means that an E-P 3 P policy is transformed into an equivalent one with default ruling 
“don’t care”. However, from Lemma 3 we know how to represent any well-founded 
privacy policy in this way, and so we can do without this technical trick here. As in 
[ 4 ] we make use of the concept of precedence shift, which adds a fixed number to the 
precedences of all rules in a policy. This can be used, for instance, to shift a department 
policy downwards, so that it has lower precedences than the CPO’s privacy policy. 

Definition 22 (Precedence Shift). Let Pol = ( Voc , R, dr) be a privacy policy and 
j € Z. Then Pol + j := ( Voc, R + j, dr) with R + j := {(i + j , u, d,p, a, c, d, r) \ 
(i, u, d,p, a, c, o, r) € f?} is called the precedence shift of Pol by j. We define Pol — 
j ■- Pol + (- j ). O 

To formalize the sequential composition of two well-founded policies Pol i, Pol 2 with 
compatible vocabularies, we assume that both of them have a “don’t care” default rul- 
ing. If this is not the case, we first apply an algorithm like the one in Section 3.2 to 
derive equivalent privacy policies which have a “don’t care” default ruling. After that, 
we shift the two policies accordingly, and then join their vocabularies and rulesets: 

Definition 23 (Sequential Composition). Let Pol 1, Pol 2 be well-founded privacy 
policies with compatible vocabularies, where w.l.o.g. dri = o = dr 2- Let (Voci, 
R'{, o) := Pol 1 — max(Poli) — 1 and (Voc2, R'2, 0 ) ■— P0I2 — min (Poll) + 1 - Then 

Poll P0I2 := ( Voci U V0C2 , R” U R' 2 , o) 

is called the sequential composition of Pol 1 under Pol2- O 

Intuitively, a sequential composition of Pol\ under Pol 2 should serve as a refinement 
of Pol 2 which is formally captured in the following lemma. 

Lemma 9 . For all well-founded privacy policies Pol 1 and Pol 2 with compatible vo- 
cabularies and dr 1 = o = dr2, we have Pol \ [j Pol 2 A Pol 2. □ 

Obviously, the sequential composition of two well-founded privacy policies is in gen- 
eral no longer well-founded. So when combining [j with the operators + and & to form 
more complex privacy policies, some care has to be taken. In general, the sequential 
composition of policies should always be the last operation applied, as it is the only one 
which does not preserve well-foundedness. 



4 Algebraic Properties of the Operators 

Since the operator definitions proposed in the previous section are quite intuitive, one 
would not expect “unpleasant surprises” when using these operators to form more com- 
plex privacy policies involving three, four, or more operands. As actual use cases often 
involve more than only one or two different privacy policies, we have to ensure that our 
operators do not yield non-intuitive behaviors in such scenarios. Fortunately, this is not 
the case, and the usual algebraic laws apply: 
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Lemma 10 . Let Poll, P0I2, P0I3 be well-founded E-P 3 P policies such that the fol- 
lowing expressions are well-defined, i.e., the respective requirements in Definition 19 
respectively Definition 20 are met. Then the following holds: 

Idempotency : PoliSzPoli = Poll, ( 1 ) 

Poll + Poll = Poll, 

Commutativity : P0I1&P0I2 = Pofa&zPoli, ( 2 ) 

Poll + P0I2 = P0I2 + Poll , 

Associativity : PoliSz(Pol2^Pol3) = (Poli&P ol2)&tPol3, ( 3 ) 

P oli {P 0I2 + P 0I3 ) = (P oli + P 0I2) + P 0I3, 

Distributivity : Poll + (P 0/2&P 0/3) = ( Poll + Po^2)&(Poli + P0I3), ( 4 ) 
Poli&z(Pol2 + P0I3 ) = (P0/1&P0/2) + (P0Z1&P0I3), 
Strong Absorption : Poll + (P0/1&P0/2) -< Poll. ( 5 ) 

□ 

It is worth noting that our proof of the strong absorption property relies on both 
Lemma 5 and Lemma 6, and although it may look tempting, one cannot simply switch 
the roles of conjunction and discjunction in the proof to derive a "dual” strong absorp- 
tion law with the roles of & and + being exchanged. 

In addition to purely algebraic properties of the operators, one can also establish 
several refinement results. In particular we can prove the following relations, which 
from the intuitive point of view are highly desirable: 

Lemma 11 . Let Poll, P0I2 be well-founded privacy policies such that the respective 
requirements of Definition 19 and Definition 20 are met. Then we have 

Weak Multiplicative Refinement : Poli&zPol2-<Poli (i = 1 , 2 ), (6) 

Weak Additive Refinement : Pof^kPoli + P0I2 (i = 1 , 2 ). ( 7 ) 

□ 

Finally, we state a refinement result which relates the sequential composition operator 
to the operators for conjunction and disjunction: 

Lemma 12 . Let Pol 1, P0I2 be well-founded policies such that the respective require- 
ments of Definition 19 , Definition 20 , and Definition 23 are met. Then we have 

Weak Operator Refinement : P0I1&LP0I2 ~< Poll (^J P0I2 ~< Poll + Pop. (8) 

□ 



5 Conclusion 

Motivated by the need for practical life-cycle management systems for the collection of 
enterprise privacy policies, we have introduced several algebraic operators for combin- 
ing enterprise privacy policies, and we have shown that they enjoy the expected alge- 
braic laws. Our operators allow for a convenient, modular use of existing EPAL policies 




An Algebra for Composing Enterprise Privacy Policies 



51 



as building blocks for new ones, and they hence avoid the difficulties that naturally arise 
for the usually very complex monolithic privacy specifications. 

An analysis of the expressiveness of EPAL further revealed that, somewhat surpris- 
ingly, EPAL policies are not closed under intuitive notions of policy conjunction and 
policy disjunction; however, such operations are crucial for actual use cases. We have 
circumvented this problem by identifying a suitable subclass of EPAL policies that is 
closed under desired algebraic operations. Further on, the introduced tools for com- 
bining privacy policies satisfy natural requirements like associativity, commutativity, 
and distributivity, as well as appropriate refinement relations. In addition to conjunction 
and disjunction operators, our algebra provides a scoping operation which allows for 
managing and reasoning about privacy requirements that involve only certain parts of 
an organization. Finally, we have shown that the already existing notion of sequential 
composition of privacy policies fits naturally into our setting. As future work we con- 
sider it a worthwhile goal to add further operations to our algebra in order to further 
facilitate a convenient handling of privacy policies. 
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Abstract. As a part of a continued effort towards a logical framework 
for incremental reasoning about security, we attempted a derivational 
reconstruction of GDOI, the protocol proposed in IETF RFC 3547 for 
authenticated key agreement in group communication over IPsec. The 
difficulties encountered in deriving one of its authentication properties 
led us to derive an attack that had not surfaced in the previous extensive 
analyses of this protocol. The derivational techniques turned out to be 
helpful not only for constructing, analyzing and modifying protocols, but 
also attacks on them. We believe that the presented results demonstrate 
the point the derivational approach, which tracks and formalizes the 
way protocols are designed informally: by refining and composing basic 
protocol components. 

After a brief overview of the simple authentication logic, we outline a 
derivation of GDOI, which displays its valid security properties, and the 
derivations of two attacks on it, which display its undesired properties. 
We also discuss some modifications that eliminate these vulnerabilities. 
Their derivations suggest proofs of the desired authentication. At the 
time of writing, we are working together with the Msec Working Group 
to develop a solution to this problem. 



1 Introduction 

A key feature needed to support the integration of formal methods into crypto- 
graphic protocol design is composability. Most of the design of a working crypto- 
graphic protocol is incremental in nature. One starts with a simple pattern that 
gives the basic skeleton of the protocol. One then adds the particular function- 
ality needed for the particular application in mind. Some of the added functions 
may be optional, leading to different versions of the protocol. Finally, if some of 
the added features require interaction between the principals, it may be neces- 
sary to compose the protocol with some other protocol or protocols. For example, 
if one wants a key distribution protocol to enforce perfect forward secrecy, one 
may want to compose it with the Diffie-Hellman protocol by using Diffie-Hellman 
generated keying material as input into the key. 

* Supported by ONR N00014-03-C-0237 and by NSF CCR-0345397. 
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In a situation like this it would be ideal if one could verify as well as design 
incrementally. It should be possible to identify situations in which properties 
that have been proven to be true remained true even after the protocol was 
modified in certain constrained ways. Unfortunately, this is in general a very 
hard problem in formal methods. In the general case, even minor changes can 
fail to preserve properties that had previously held. 

A solution, of course, is to restrict oneself to properties and transformations 
that can be reasoned about incrementally; and more generally, to develop tech- 
niques to recognize conditions under which the security properties of interest 
are preserved under refinement, composition, or transformations at large. One 
such technique, in the framework of protocol derivations, has been studied in 
[8]. In the context of general theory of protocols, the issue of compositionality 
has been widely investigated, in various abstract process models. Some of the 
recent references are [6,2,15]. While the general problem of compositionality 
and monotonicity of security properties remains open, particular applications 
do allow useful deployment of incremental methods, informally used in many 
protocol development efforts and publications. We believe that such practices 
can and should be formalized. 

With this in mind, we have been developing a monotone epistemic logic that 
provides a straightforward way of composing derivations of properties. In this 
logic, all statements express agents’ knowledge about concrete situations and 
events such as the possession of keys and the sending and receipt of messages. 
These statements can then be composed to prove the desired conclusions about 
the sequences of events that must occur in a protocol. The current version, 
addressing only authenticity, however, does not involve composition of knowl- 
edge modalities, so that the epistemic nature of this logic remains on a rather 
rudimentary level. While it resembles BAN logic [5] in this restriction to authen- 
tication, the present logic is much simpler, with the order of actions as its only 
non-logical primitive. 

Most importantly, the logic proceeds in much the same way as a protocol 
is designed. One starts with some simple patterns, for which some basic prop- 
erties are established in advance. These patterns are then composed into the 
basic protocol. The properties add up in so far as they preserve each other’s 
assumptions [8] . The next step is to add specific features that the protocol must 
provide: these would include, for example, the actual data that the protocol is 
intended to distribute securely. At this step, the protocol can also be composed 
with other, auxiliary, patterns. 

An interesting and useful feature of the logic is that the same approach can 
be used to derive attacks on insecure protocols as to prove security properties 
of sound ones. This is often done by lifting a simple attack on a simple protocol 
component to a more subtle attack on a more complex protocol. The attack on 
a component C is expressed as a process on its own, say C, corresponding to a 
logical statement of an undesired property. If the protocol P has been derived 
by using C in a derivation A, then replacing C by C in A will yield a derivation 
A of an attack P on P, whenever the relevant undesired property is preserved. 
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The result is that we are able to take advantage of our knowledge of C to derive 
the attack P. 

Other attacks on protocols, of course, may not arise from attacks on their 
components, but may emerge, e.g., from insecure composition of secure compo- 
nents. Such attacks can still be derived, just like counterexamples are derived in 
logic, by changing the derivation goals. Since attacks, like protocols, are often 
based on simple patterns, attack derivations have the potential to be a useful 
feature for parlaying knowledge about basic attacks, and about propagating in- 
securities, into understanding of the vulnerabilities of complex protocols, just 
like protocol derivations parlay knowledge about basic protocols and their of 
security properties. 

The logic used in our derivations draws upon the ideas of earlier derivational 
formalisms, developed in [10,7]. The crucial difference is again that the state- 
ments of the new logic are couched entirely in terms of partial orders (distributed 
traces) of actions, as observed by each agent, or derived from her observations 
and the common axioms. One consequence of this is that we are now less likely 
to encounter some of the problems that epistemic logics at large have had in the 
past, where it was sometimes difficult to determine from the conclusions of an 
analysis what actual behavior was expected of a protocol, e.g., what sequence of 
events was actually supposed to occur. Another consequence is that our deriva- 
tion system has a smaller syntax and simpler semantics than its predecessors. 
Nevertheless, a logic capturing the distributed reasoning in dynamic protocol in- 
teractions remains a challenge, not only conceptual, but even notational: writing 
down the views of the principals in a sequence does not display the essence. Un- 
derstanding protocols requires new semantics, deriving them also requires new 
interfaces, and very much depends on the available tools. The current system 
suggests some of the notational forms, supported by a tool developed at Kestrel 
Institute. The space permits only a broad overview of a fragment; the goal is to 
show it at work on GDOI. 

The Group Domain of Interpretation (GDOI) [3] protocol, developed by the 
Internet Engineering Task Force (IETF), is not only of great practical interest, 
because of its wide applications in secure multicast, and in secure group commu- 
nication at large [3, sec. 1.1], but also of particular conceptual interest, because 
of the previous detailed analyses using the NRL Protocol Analyzer (NPA) [16]. 
The NPA is a model checker that, like the logic described in this paper, can be 
used to both provide security proofs and discover attacks, but does not support 
incremental or compositional verification. Interestingly, a failed composition in- 
volving a portion of the protocol called the “Proof of Possession” pointed up a 
potential problem with an optional means for providing authorization, which, 
because of a misunderstanding of the requirement, had been missed in the NPA 
analysis. The attack presented in this paper has arisen from an attempt to derive 
the GDOI protocol with the Proof of Possession option: the analysis of the step 
composing the core GDOI with the subprotocol underlying Proof of Possession 
has shown that the insufficient binding between the two components allowed 
deriving attacks, rather than the desired security property. 
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The rest of the paper is organized as follows. In section 2 we describe the 
GDOI protocol. In sec. 3 we give a brief overview of the logic. In sec. 4 we describe 
the derivation of the Core GDOI protocol. In sec. 5 we describe the derivation 
of the Proof of Possession protocol and its composition with the core GDOI 
protocol. In sec. 6 we discuss the derivation of the attack and some suggestions 
for fixing the protocol. In sec. 7 we compare our results with the earlier NPA 
analysis and conclude the paper. 

2 The GDOI Protocol 

GDOI actually consists of two main protocols: the GROUP KEY-PULL protocol, 
which is used when a new member joins the group, and the GROUPKEY-PUSH 
datagram, which is used to distribute keys to current members. In this paper we 
are concerned with the GROUPKEY-PULL protocol. 

The GROUPKEY-PULL protocol takes place between a Group Controller/ 
Key Server (GCKS) and a member who wants to join the group. Authentication 
and secrecy are provided by a key that was previously exchanged using the 
Internet Key Exchange (IKE) protocol [13]. The purpose of IKE is to provide 
secure key distribution between two principals. Keys are distributed by IKE in 
two phases: long term Phase 1 keys, which in turn are used to distribute shorter- 
term Phase 2 keys. GDOI makes use of IKE Phase 1 only; GDOI can be thought 
of as taking the place of IKE Phase 2 for groups. 

The GROUPKEY-PULL protocol serves two purposes: one is to distribute 
the current group key to the member, the other to provide mutual authentica- 
tion and authorization between the member and GCKS. Furthermore, the latter 
purpose can be realized in two ways: 

(i) by using the Phase 1 key for authentication, and storing the authorization 
information with principal’s Phase 1 identity, where it can be readily looked 
up, 

(ii) by storing the authorization information in a certificate that contains prin- 
cipal’s public key, allowing it to be authenticated by a signature with the 
corresponding private key. 

In the latter case, known as the Proof of Possession (PoP) , it is not the purpose 
of a certificate, as usual, to allow the verification of a signature, but rather it is 
the purpose of the signature to authenticate the certificate. A principal uses the 
PoP to prove that he possesses the key in the certificate by using it to sign the 
other principal’s nonce. 

An interesting feature of the above options, specified in the GDOI RFC [3] 
is that the identity, contained in the certificate in (ii), can be, and is expected to 
be, different from the Phase 1 identity, used in (i) 1 . Allowing multiple identities 
can be useful for security associations, has been used in the recent versions of 
IKE, envisioned for Phase 1 of GDOI, and is not insecure in itself. In this case, 
however, it does cause problems, as we shall soon see. 

1 This is explicit for the group member, and left open for the GCKS. 
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The GDOI message flows, relevant for our analysis, are given below. The 
messages are passed along a secure channel where authentication and secrecy 
are provided by the key passed in Phase 1 IKE, and which is identified by an 
IKE header and Message ID. Since in this paper we are considering authentica- 
tion issues alone, we do not specify the encryption and identification functions 
explicitly. We also leave off an optional Diffie-Hellman exchange, since it is not 
relevant to our analysis of authentication properties of the protocol. 

Let A be a group member and B a GCKS. 

(i) A — >■ B : H AB (m . , id), m, id 

Here, to is A’s nonce, id is the ID of the group, and H BA denotes compu- 
tation of a hash using the Phase 1 key shared between A and B. 

(ii) B — > A : H BA (n,m, sa),n, sa 

Here n is B’s nonce and sa stands for the security association associated 
with the key. Note that the keyed hash here is denoted H BA instead of 
H AB . This is to reflect the requirement that the input to the hashes be 
formatted in such a way that a message from an initiator be distinguishable 
from a message from a responder. This is not an issue for this specification, 
but will become so later for various partial specifications of the protocol. 

(iii) A—>B: H AB (n, to, C a , S A (n, m)),C A , S A (n, to). 

Here C A denotes a certificate pertaining to A’s new identity, A'. This 
certificate contains a public key, and S A denotes a signature by the corre- 
sponding private key. 

(iv) B — > A : H BA (n, to, C b , sq, k, S B ( n , to)), sq , k, S B (n, to) 

Here k is the actual keying material, and sq is a sequence number indicating 
the current GROUPKEY-PUSH message. 

Irrelevant information is omitted wherever the confusion seems unlikely. For 
example, responder’s nonce will be left out of the final hash in GDOI, since it 
plays no role in the analysis. For similar reasons, keying material and sequence 
numbers passed to the group member will also be omitted. 

3 Brief Overview of Challenge Response Logic 

The logic describes actions performed by agents. Actions consist of sending, 
receiving, and rewriting data, and generating random values. Agents constitute 
processes in the underlying process calculus; in this case, they can be construed as 
strands [17], or as cords [11]. Roles and principals can then be modeled as classes 
of agents, sharing data or information: keys and names in the case of principals, 
or actions in the case of roles. The other way around, an agent may be thought of 
as a special instance of a role, or of a principal. We will concentrate on conclusions 
that can be derived from participation in challenge-response protocols, and use 
challenge-response as building blocks for more complex protocols. 

The logic is built out of simple axioms describing the conclusions that a 
principal can draw from her observations of protocol actions, using the known 
axioms. These axioms are usually of the form: “If an agent performs certain 
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sequence of actions, then she can conclude that some other sequence of actions 
by other parties also occurred”. For instance, if A receives a message, then she 
can conclude that someone must have sent that message; if that message contains 
a term that only B can form, then she knows that B must have been on the 
path of the message. 

The notational conventions are as follows. A language of terms t, which can 
be sent in messages, is assumed to be given. It includes variables for unknown 
terms or agents, and sufficient typing. The expressions (f)A, resp. (£)ai denote 
the statements that the agent A has sent, resp. received the term t. The expres- 
sions ((t))A resp. ((£))a, denote the statements that A has sent, resp. received 
a message containing t. An agent asserting such a containment statement may 
not be able to extract t, but must be able to establish its presence (e.g., as in 
the case of hashing) . When the source and the destination of a message are rel- 
evant, we use the verbose forms {{t : A — > B))c and (( t : A — > B))c, where A 
and B are respectively the purported source and destination fields. Like the the 
“To” and the “From” fields, they can be spoofed, whereas the subscripts C name 
the agent who actually performs the action. A further convenient abbreviation is 
((t))c< , which means that C is the originator of the first message containing t 2 . 
In general, t may contain subterms generated by others, yet (( t))c< asserts that 
no one before C had sent t, itself. The expression (ym) describes the generation 
of a fresh nonce ?n. As usually in process calculus, it binds m to the right. 
Atomic statements are generated over actions in one of the following forms: 

— a - ‘‘the action a has occurred ”, 

— a <b - “the action a has occurred before b”, and 

— a = b “the actions a and b are identical”. 

The conditional precedance in the form “if b occurs, then a must have occurred 
before ” is often used, so we abbreviate it as a -< b b =>■ a < b. 

When authenticating each other, agents reason from partial descriptions and 
unknown order of actions, towards total descriptions and order. The names a 
and b thus usually denote only partially determined actions. Thus, for instance 

— {t) a < ( x)y ~ means that some action in the form (t) a precedes some action 
in the form (a’)'y, 

— a = {t ) a — means that the action denoted by a must be in the form (f)A‘, 
note that in the same session there may be b ^ a with b = (t) a] 

— (U(t)) A = (V(t)) B , where U ( t ) and V (f) are undetermined messages con- 
taining t - means that U(t) = V(t) and A= B. 

The state of each agent consists of what she has seen and recorded. In prin- 
ciple, she only sees her own actions. She can thus record (some of) the terms 
that she has sent, received, or computed, and the order of actions that she has 
performed. At each new state, an agent can draw new conclusions, applying the 
axioms, which constitute common knowledge, to the data seen or recorded. Each 
such derivation thus consists of three fields: 

Formally, (( t))c< abbreviates 3c. c = {{t))c A V6. b = (( t))B => b < c. 
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— 11 A sees:. . . ” - displaying A’s state, 

— U A knows:. . .” - displaying axioms and the previously derived facts, 

— 11 A concludes: ...” - displaying the new conclusions, following from the above. 

We omit “sees” , “knows” , and “concludes” whenever confusion seems unlikely. 

There are two basic axioms that express semantics of actions. All principals 
are assumed to know them. 

(t) => 3a. a = (t) A a < ( t ) (rev) 

{vm) M => Va^- (a = ((to)) V a = ((m)) => (: vm ) < a A 

A ^ M => (: um) M < {{m)) M < ((m)) A < CDt) (new) 

The (rev) axiom says that if a message is received, it must have been sent. The 
(new) axiom says that, if a fresh value is generated, then any action involving 
that fresh value must occur after its generation; moreover, if some principal 
other than the originator receives a message containing the fresh value, then the 
originator of the value must have sent a message containing it. 

Axiom (cr) supports the reasoning of the initiator of a challenge-response 
protocol. It is formalized as follows: 

A : (vm) A ({{c AB m)) A < (( r AB m)) A 

=> ((c AB m)) A < (( c AB m)) B < (( r AB m)) B < < {{r AB m))j^j (cr) 

The expression c AB m denotes a challenge function applied to ?n, while the ex- 
pression r AB m denotes a response function applied to to. The axiom can be 
viewed as a specification of the requirement defining these two functions. It tells 
that A can be sure that if she issues a message containing a challenge c AB m, 
and receives response containing r AB m, then B must be the originator of that 
response. In other words, B is the only agent who could have transformed c AB m 
to r AB m, given the A’s own observed actions. This is the basic logical building 
block of authentications. The same idea is captured by Woo-Lam’s correspon- 
dence statements [18], or by Guttman and Thayer’s authentication tests [12]. 

In the various instances of axiom (cr), functions c and r satisfying the above 
specification, can be implemented in various ways, e.g. taking B’s signature as 
the response, or B ' s public key encryption as the challenge. In each case, it 
will need to be proved that the particular implementation satisfies the specified 
requirement . 

The logic also contains axioms for composing, refining and transforming pro- 
tocols. A transformation or refinement usually adds a new property or function- 
ality to the protocol, in which case it comes annotated with an axiom, leading 
to new conclusions. In authentication protocols, such axioms may expand prin- 
cipal’s knowledge about the events in the run of the protocol that he is partici- 
pating. For example, in the basic challenge-response axiom there is no indication 
that B intended its message as a response to A’s particular challenge. This would 
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need to be supplied by some refinement introducing a specific integrity token, 
such as computing a MAC. 

While many formal details of our logical derivation of GDOI will have to be 
omitted, the axioms and the derivation steps do yield to a simple diagrammatic 
presentation without an essential loss of precision or insight. As usually, messages 
are represented by horizontal arrows from one principal to another. A vertical 
line corresponds to principal’s internal change of state. If the principal creates a 
new value to, this is represented by putting vm next to the appropriate vertical 
line. Below, we describe a derivation of a simple challenge and response protocol, 
which we use to form the core of GDOI. 

There are several properties of protocols that will be of interest here. One, 
known as matching histories, due to Diffie, van Oorschot, and Wiener [9], says 
that after two principals complete a protocol successfully, then they both should 
have the same history of messages sent. Another, due to Lowe [14], known as 
agreement, says that the principals should agree not only about the message 
histories, but also about the source and destination of each message. 

Assumptions. A principal can be honest, and follow the protocol, or dishonest, 
and perform arbitrary actions. However, it is assumed that no principal, honest 
or dishonest, can compromise the private data used to authenticate him: they 
are securely bound to his identity, outside the considered protocols 3 , protocol 
cannot be to possession of authenticating We also tacitly assume strong typing. 
If a principal, for example, attempts to use a key in the place of a nonce, the 
message will be rejected. These assumptions are a matter of convenience, and 
can be discharged in a more detailed treatment. This is, indeed, needed when 
it comes, e.g., to perfect forward secrecy, which is of interest in GDOI, and 
describes the behavior of the protocol after a master key is compromised. 



4 Deriving Core GDOI 

In this section we derive the conclusions the principals can draw as a result 
of participating in Core GDOI, without Proof of Possession. This is done by 
first constructing a mutual hash-based challenge-response protocol, and then 
inserting key distribution. For reasons of space, we will only give a detailed 
presentation of the derivation of A’s conclusions as the result of participating in 
the Hash-based Challenge-Response, while giving a broad overview of the rest. 
We hope that this is enough to give a flavor of the logic. 



4.1 Hash-Based Challenge- Response 

The derivation of GDOI begins with the basic protocol functionality, which is 
mutual authentication through hash-based challenge-response. It is obtained by 

3 The authentication data that cannot be denied or delegated are sometimes called 
fingerprints. 
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composing and binding two copies of the challenge-response protocol described 
above, with the challenge and response functions instantiated: 

4 R , A R tt R A 

c m = m and r m = ri m 

Here, the hash H AB is axiomatized by 

H AB s = H AB t => s = t (hashl) 

(( H AB t)) x < => X=AWX=B (hash2) 

H AB t = H BA t => A = B (hash3) 

The idea is that H AB m = ho q(a AB , A, B, to), where h is a given pseudorandom 

function, a AB a secret shared by A and B , and q a convenient projection, perhaps 
eliminating one of the identifiers. The axioms capture enough of this intended 
meaning, to ensure that the above instantiation of c AB and r AB validates axiom 
(cr), so that we can prove 

A : ( vm) A ({{rn)) A < {{H BA m)) A 

=> ((to))a < ((m)) B < (( H BA m)) B < < ((H AB m)) A ^j (crh) 

where to denotes a term containing 4 to. The proof makes use of (rev) to conclude, 
if the message H BArather rh was received, it must have been sent by somebody, 
and (hash2) to conclude that the sender must have been B. It then makes use of 
(new) to conclude that to must have been created and sent by A and received 
by B previous to B ' s sending the hash. 

We now use (crh) to derive A’s conclusions. 

A sees : (toti)a < (m) A < ( H BA m) A 

knows (crh) : (ism) A (^((m)) A < (( H BA m)) A 

=> ((to)) a < ((to)) b < (( H BA m)) B < < {{H BA m))j^j 

concludes : (toti)a < ( to) a < ((to))b < {(H BA m)) b< < ( H BA m) A 

So keyed hash can be used for ping authentication. But furthermore, it turns out 
that composing and binding two copies of such hash-based authentication allows 
both principals to derive the exact order of all of their joint actions, and thus 
arrive at matching records of the conversation. To derive this, we begin from the 
simple hash-based challenge response, the first diagram in fig. 1. The responder 
B learns little (only that someone has sent a message), but A learns that B 
received her challenge and responded to it. The second diagram is obtained by 
sequential composition of two copies of the first one. We only display the first 
copy. The second one is symmetric, with B as the initiator and A as responder. 

Like before, the agent asserting containment may not be able to extract to, but must 
be able to verify its presence. 
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A B I A B I A B 




Fig. 1. Hash-based Challenge-Response: from one-way to mutual authentication 

The conclusions that A and B can draw are the union of the conclusions that 
they could draw as initiator and responder of two independent protocols: A 
knows that it receives a response to B, and B knows that it received a response 
from A, but they are not able to derive much more than that. The reasoning for 
A is as follows: 

A sees : ( urn ) a < {m) A < (n, H BA m)A < ( H AB n) A 
(crh) (um) A ^((m)) A < (( H BA m)) A 

=> ((m))A < (( m)) B < (( H BA m)) B < < (( H BA m )) A ) 

(rev) (t) => 3a. a = (t) A a < ( t ) 

A : (i/to) a < (m) A < ((m)) B < ({H BA m)) B< < (n,H BA m) A < (H AB n) A 

A 3 Y. ((n : B — » A))y < (n, H BA m : B — > A) a 

The third protocol is obtained by binding the two one-way authentications by 
a simple protocol transformation, introducing responder’s challenge into his re- 
sponse. In the logic, this is accompanied by the protocol specific definition of 
B' s honesty: 

A : B honest (x) B -C {vy) B -< (y,H BA (x,y)) B A ( H AB y) B 

where A is an agent from the initiator role. This statement tells that, if A 
knows that any of the above events have occurred, then A knows that all of the 
preceding events must have occurred as well, in the described order provided 
that B is honest, and acts according to the protocol. The reasoning now proceeds 
as follows. 

A sees : ( vm)A < ( tti)a < (n, H(m,n))A < ( Bn ) a 
(crh) {vm) A ({{m))A < (( Hm)) A 

=> (( m)) A < ((m)) B < (( Hm)) B< < (( Hm )) A ) 

(rev) (t) => 3a. a = (t) A a < (t) 

A : B honest (x) B A (vy) B A (y,H(x,y)) B A ( Hy) B 

Just as in the one-way authentications, the conclusion is 

A (i) : (urn ) a < (m) A < ((m)) B < (( H(m,n))) B< < ( n,H(m,n)) A 
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On the other hand, from the honesty assumption 

A (ii) : B honest A (( Hx)) b => (x) B < (vy) B « (y,H(x 1 y)) B< = (( Hm)) B 

where, as we recall, x denotes a term containing x. Instantiating x = in and x = 
( m,n ), we get the antecedens that (( H(m,n))) B has occurred. The consequens 
now tells that the action (( H(m , n))) B< of (i) must be ( y,H(m , y)) B of (ii), with 
y fresh. From axiom (hashl), A derives that n = y and thus 

A : B honest => ( wrn)A < (to) a < 

(■ m) B < {vn) B < ( n,H BA (m,n)) B < (n, H BA (m,n))A < { H ab ti)a 

By similar reasoning, B reaches the same conclusion, just extended by ( H AB n ) B 
at the end. The hash-based challenge-response thus yields the matching conver- 
sations authentication. 

In fact, with the same assumptions, A can derive essentially more: not only 
that B has indeed sent the response that she has received, and generated the 
challenge that she has responded to - but also that B has intended his response 
and his challenge for her. More precisely, the above conclusion of A’s can be 
extended by the desired source and destination of each message, A — » B, or 
B — ► A. Indeed, assuming that B is honest, 

— he must have received (to : A — > B) b , because he would never form H BA 
(to. . . .) otherwise, and then 

— he must have generated fresh n and sent (n, H BA (m,n) : B — > A) B , again 
because the protocol and his honesty say so. 

Formalizing this, A can first prove that the above definition of B’s honesty is 
equivalent to a stronger formula: 

A : B honest (a: : A — > B) b -< (yy) B ~< 

(y, H BA (x , y) : B —> A) B -< ( H AB y :A^B) b 

and then strengthen the rest of her reasoning. Mutatis mutandis, the same holds 
for B. The principals thus agree not only about the order of their joint actions, 
but also about the intended sources and destinations of their messages, and about 
each other’s identity. This stronger form of authentication is called agreement in 
Lowe’s hierarchy [14]. While matching conversations authentication suffices for 
some purposes, we shall see in the sequel how it can lead to misidentification 
even in combination with agreement. 

4.2 Towards GDOI: Hash-Based Authenticated Key Distribution 

Towards authenticated key distribution, the hash-based mutual authentication 
protocol should now be composed with the hash-based key distribution proto- 
col, identifying initiator’s nonces used in the two components. The argument 
is essentially the same as that for hash-based challenge-response, so we omit it 
here. In the first diagram in fig. 2, we start with a protocol pattern in which 
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Fig. 2. Composition with hash-based key distribution 



hash-based challenge-response is used to guarantee authentication of a key (or 
any other piece of data). As a result of this protocol, A can conclude that B 
sent the key in response to her challenge. In the second diagram, we compose 
the key distribution with the challenge-response diagram from fig. 1. Now A can 
conclude that B has responded to her challenge with challenge of his own, and 
later with a key. B can conclude that A was still participating in the protocol at 
the time he received the challenge (that is, that the first message that it received 
from A was not a replay). The last diagram in fig. 2 is a simple refinement that 
authenticates the initial challenge 5 . This step is independent, and can been in- 
troduced at any point in the derivation. In any case, it is not hard to prove that 
the authenticity properties, achieved in the hash-based challenge response, are 
preserved under the last two derivation steps. The same messages that appear in 
the hash-based challenge response also appear in the hash-based key distribution 
in the same order. So the same proof strategy works again. 

Since the distributed key is also authenticated by hash, the resulting protocol 
- the core of GDOI - thus realizes the agreement authentication again. This 
means that each principal can exactly derive the order of all actions (except 
that the sender of the very last message cannot know that it is received) - 
including the correct source and the intended destination of each message. 

5 Adding Second Authentication 

In this section we describe the second way of authorizing group membership and 
leadership. This is done by passing a signed public key certificate with a new 
identity and additional authorizations. This can be done for either the group 
member, or the GCKS, or both. A principal is intended to prove possession 
of the private key corresponding to the public key contained in the certificate 
by using it to sign the two nonces. Thus we can think of GDOI with proof-of- 
possession (PoP) as the composition of two protocols: the core GDOI protocol 
and the PoP protocol. 

Omitting this would expose B to a denial-of-service. 
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5.1 Towards PoP: Signature-Based Challenge- Response 

The PoP protocol is another implementation of the abstract challenge response 
template (cr), this time using signatures. The challenge is again just c AB m = m, 
but the response is r AB m = C B ,S B m , where S B is B’s signature, axiomatized 
by 



S B t = S B u = 


=> t = u 


(sigl) 


« s B t)) x< = 


=> X = B 


(sig2) 


V B (y,t) *= 


=> y = S B t 


(sig3) 



whereas C B is B ' s certificate, with her identity bound to the signature verifi- 
cation algorithm V B , and possibly containing additional authorization payload, 
used in GDOI. As usually, the integrity of this binding is assured by certifying 
authority. The derivation proceeds similarly as for the hash-based authentica- 
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Fig. 3. Signature-based Challenge-Response: from one-way to mutual authentication 



tion. The difference is that the second diagram in fig. 3 is a nested composition 
of two copies of the first, rather than a sequential composition, as in fig. 1. We 
only display the inner copy, while the outer one is symmetric, with A as the 
initiator, and B as responder. Like before, the third diagram is obtained by 
binding transformations, i.e. introducing each principal’s own challenge into his 
response. The result is what we call the PoP protocol. 



Properties and attacks. The proof of the matching conversation authenticity 
for the signature-based challenge response protocol closely follows the proof for 
the hash-based protocol, presented in sec. 4.1. However, while the latter proof 
readily extends to a proof of agreement, by extending the messages by A — > B 
and B — > A, the former does not. 

The reason is that the messages in the hash-based protocol carry enough 
information to ensure that an honest principal, say A, will send the messages 
to the correct destination B - whereas in the signature-based protocol they do 
not. More concretely, in the hash-based protocol, the assertion that A is honest 
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and sends and receives the messages in correct order implies, as we have seen, 
that the sources and the destinations of the messages are also correct. In the 
simplest signature-based challenge response protocol, B’s assumption that A 
is honest, B : A honest •<=>• (h)a A ((C A , S a h))a cannot be extended to 
( C A , S A n : A — » B)a • While the response H AB n must be for B if A is honest, 
the response C A , S A n does not tell who A may have intended it for, honestly or 
not. 

The signature-based challenge response protocols thus realize matching con- 
versations authentication, but they do not realize agreement, and do allow iden- 
tity confusion. Indeed, by spoofing the source of B's challenge, and the destina- 
tion of A's response, an intruder / can convince B that he has authenticated a, 
while A believes that she has been authenticated by I, and knows nothing of B. 
This is illustrated in in the first diagram in fig. 4. The attack validates e.g. the 
following statement 

B : A honest => (^n)s < (u)s < (u)a < ( C a 1 S a h)a < ( C a ,S a ti)b 

A^(b : A honest => (C A ,S A n : A^B) a ) 

which shows that it cannot validate agreement authentication. Now recall the 
derivation pattern displayed in fig. 3, used to derive a mutual authentication 
protocol by nested composition and binding of two copies of one way authen- 
tication. Applying this derivation pattern not to the one way authentication 
protocol itself, but to the attack on it - yields a similar attack on the resulting 
mutual authentication protocol. This attack is illustrated in the second diagram 
of fig. 4. A formula contradicting the agreement authentication, but asserting 
the matching conversation can be extracted just as above. 
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Fig. 4. Attacks Against Signature-Based Challenge-Response 



To remove the attacks, one would need to provide grounds for the reasoning 
pattern that led to establishing the agreement authentication in sec. 4.1. Like 
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there, the response function should thus be extended by peer’s information, 
which would allow the extending honesty assertion by the source and destination 
fields. When anonymity of the initiator is not required, this can be achieved by 
taking r AB m = C B ,S B (A , m) 

5.2 Composing Core GDOI with the PoP Option 

We are now ready to compose core GDOI, derived in sec. 4, with the PoP 
protocol, derived above. This is shown in fig. 5, where we abbreviate S x = 
S x (m . , n). 



B 



I m,H AB Tn:A — *B 

O S>- O 



n, H ( m,n):B — >A 



H AB n, C A , S A : A^B 



k,H BA (m,k), C B ' , X B ': B^A 



B 



m,H AB m : A—*B 



n,H ( m,n ): B — >A 



H AB (n,C A ,U A ),C A ,U A :A—>B 






l BA (m,k,C B ' , S B '), C B ',S B ':B^A 



Fig. 5. Composition of Core GDOI with PoP 

In the first diagram, we compose the hash-based protocol from sec. 4.2 with 
the signature-based protocol from sec. 5.1, identifying the fresh data. In the sec- 
ond diagram, we bind the two components using hashes. Note that the principal 
A claims both A and A! as her identities: one as the source field of her message, 
the other through the certificate, which she proves as hers by the signature. The 
principal B similarly claims both B and B' . 



6 Attacks on GDOI with PoP and Its Defenses 

When we attempted to prove the security of the composition of the core GDOI 
and POP, we found that the proofs derived for GDOI and for POP could not 
be composed, because the two components used two different identities. At a 
closer examination, it turned out that this fact not only preempted a proof of 
security of the composite protocol, but also allowed a derivation of an attack 
on it. A further attempt to prove security of an amended version then led to a 
derivation of an additional, more subtle attack. Defending the protocol against 
this attack, we arrived at the version supporting the agreement authentication. 
We shall now discuss these attacks and the defenses against them. 
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The first attack on the composite protocol is obtained by composing attack 
on the PoP component with the GDOI protocol. It can be specified by compos- 
ing the vulnerability statement about PoP from sec. 5.1, with the statements 
derived about GDOI. The composition turns out to preserve the vulnerability. 
The second attack emerges from the interaction of the components, even after 
the attack on the PoP component has been eliminated. 



6.1 Lifting the Attack from PoP 

The attack on the PoP, presented in sec. 5.1, leaves the responder confused about 
who the initiator is actually trying to initiate contact with. To lift this attack 
to GDOI, we compose it with the core GDOI, as derived in sec. 4. This is step 
done in the same way as the PoP protocol itself was composed with core GDOI 
in sec. 5.2, to yield GDOI. The derivation of this attack on GDOI thus parallels 
the derivation of GDOI itself, up to the last step, when it introduces the attack 
on the PoP component, instead of the PoP itself. This is illustrated in fig. 6. 
We compose two copies of the GDOI protocol, one between A as initiator and I 
as responder, and the other between I as initiator and B as responder, with a 
copy of the attack on the signature protocol in sec. 5.1, in which I claims to B 
that A' is his identity, and proves this by certificate and signature. The notation 
Xa' refers to the fact that the agent X claims the identity of A' (in this case by 
proving possession of the certificate belonging with this identity) . The upshot of 
this attack is that a rogue GCKS /, who does not have the credentials to join 
the group managed by GCKS B , could hijack the credentials belonging to A 
under identity A' that she presents to I when joining /’ s group. 



A solution? The simplest way to eliminate this composition is to eliminate 
the attack in fig. 4, i.e. to strengthen the signature-based authentication from 
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Fig. 6. Lifted attack on GDOI with PoP 
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matching conversations to agreement. As pointed out in sec. 5.1, this can be 
done by introducing the peer’s identity under the signature, responding to the 
challenge, i.e. to replace E A by Eg, = S A ( B',m,n ) We do the same for S B . 
However, eliminating the attack on the component is in this case not enough to 
solve the problem. 

6.2 Emergent Attack 

Even if the PoP protocol is modified as recommended, an attack can still emerges 
in composition. To see this, consider the modified version of GDOI with PoP, 
where E A is replaced by Eg , , and E B by E B , . In order to allow A' to introduce 
the identity B' under her signature in the third message, this transformation 
must be enabled by moving the certificate C B from the last message to the sec- 
ond one. The attack that nevertheless arises is presented in fig. 7. The attack still 
allows a correct hash-based mutual authentication between A and I (obtained 
by removing certificates and signatures), and a correct signature-based mutual 
authentication between A' and B' (obtained by removing hashes) yet putting 
these two authentications together leaves A believing that the identifiers I and 
B' belong to the same principal, and B believing that the identifiers / and A' 
belong to the same principal. 
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Fig. 7. Emergent Attack on modified GDOI 



Suggested solution. A solution currently under discussion with the designers 
of GDOI is to introduce the shared secret a AB under the signatures, i.e. to replace 
E A = S A (m, n) in fig. 5 by E^ B = S A (a AB , m, n), and symmetrically E B by 
E b b . Alternatively, instead of a AB , one could use other identifying information, 
such as A’s Phase 1 identity, could be used in place of a AB . 

The responder’s security argument now boils down to proving that, if either 
A or A' is honest, then A = A' . If A' is honest, then she will only sign the a AB 
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belonging to her, so B can conclude that A' = A. On the other hand, if A is 
honest, then, since S A B appears in a hash computed with ,4’s key a AB , B can 
conclude that A must have included the signature, which she only would have 
done if she herself had produced it using W’s private key. Therefore, B can again 
conclude that A = A' . A similar proof works for A’s conclusions about B and 
B'. 

One thing that the responder B cannot conclude is that A = A' if both 
A and A' are dishonest. Even if A and A' do not share their long-term keys, 
we can produce a counterexample, albeit with a refined definition of digital 
signature. Note that the axiomitization in section 5.1 disallows message recovery. 
The recommended implementation of this uses a one-way hash of signed data. If 
this is captured in the axioms, then we can show that A can still pass the hash 
of (a AB ,m,n) to A', without revealing its long-term key. After A' computes the 
signature, she can pass S A B = S A (a AB ,m,n) to A , who can then include it 
in her hashed message. Avoiding this collusion by signatures without hashing 
is cryptographically unsound, and opens up even more risks. So the problem of 
collusion remains open. 

7 Conclusion 

The presented results illustrate some of the features of a compositional protocol 
logic, and in particular the fragment for distributed reasoning in authentication 
protocols. The claim is that such logic not only supports incremental protocol 
design and analysis, but also facilitates the attack construction. The discovery of 
the compositional flaw in the GDOI group key exchange protocol, and the anal- 
yses of the various ways in which the protocol could be fixed and proven correct, 
provide evidence for this. The derivation system has not only been instrumental 
not only in protocol analysis and attack construction, but was also useful tool 
for communicating the issues to the GDOI authors and the Msec working group. 

One might ask, how could this problem happen in the first place, since GDOI 
had already undergone a formal analysis with another tool, the NRL Protocol 
Analyzer? Indeed, the flaw that we found is very much of the type that the NPA 
can find. The answer is that the fact that certificate identities could be different 
from Phase 1 identities was missed by the authors of [16] when they were eliciting 
requirements. But, even if it had been caught, it would have not been trivial to 
go back and reverify the protocol with the NPA. With the derivational approach, 
we are able to verify only the parts that had changed. 

Indeed, we note also that the approach of this logic addresses a growing prob- 
lem in the design of cryptographic protocols: the problem of securely composing 
two or more different protocols. As Asokan et al. point out in [1], deploying a 
new protocol is expensive, and there is considerable pressure to reuse security 
protocols and security context databases by composing them with other proto- 
cols. However, the problem of securely reusing these protocols in new contexts 
is not well understood. Indeed, a man-in-the-middle attack of the sort described 
in [1] was found on the IETF’s Extendible Authentication Protocol [4], and has 
much in common with the attack we found on Proof of Possession. 
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In conclusion, we believe that our approach offers the possibility of greatly 
facilitating the formal methods to cryptographic protocol analysis. Not only 
should it be possible to provide a complete verification of a protocol at one stage 
of its life, but to reverify the protocol as modifications are suggested and incor- 
porated. Moreover, it facilitates the study of the growing problem of composition 
of protocols and protocol reuse. 
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Abstract. The trusted computing group (TCG) specified two protocols 
that allow a trusted hardware device to remotely convince a communi- 
cation partner that it is indeed a trusted hardware device. In turn, This 
enables two communication partners to establish that the other end is 
a secure computing platform and hence it is safe exchange data. Both 
these remote identification protocols provide some degree of privacy to 
users of the platforms. That is, the communication partners can only 
establish that the other end uses some trusted hardware device but not 
which particular one. The first protocol achieves this property by involv- 
ing trusted third party called Privacy CA in each transaction. This party 
must be fully trusted by all other parties. In practice, however, this is 
a strong requirement that is hard to fulfill. Therefore, TCG proposed a 
second protocol called direct anonymous attestation that overcomes this 
drawback using techniques known from group signature schemes. How- 
ever, it offers less privacy than the one involving the Privacy CA. The 
reason for this is that the protocol needs to allow the verifier to detect 
rogue hardware devices while before this detection was done by the Pri- 
vacy CA. In this paper we show how to extend the direct anonymous 
attestation protocols such that if offers the same degree of privacy as the 
first solution but still allows the verifier to rogue devices. 



1 Introduction 

Consider a trusted hardware module, called the trusted platform module (TPM) 
in the following, that is integrated into a platform such as a laptop or a mobile 
phone. Assume that the user of such a platform communicates with a verifier 
who wants to be assured that the user indeed uses a platform containing such a 
trusted hardware module, i.e., the verifier wants the TPM to authenticate itself. 
However, the user wants her privacy protected and therefore requires that the 
verifier only learns that she uses a TPM but not which particular one - otherwise 
all her transactions would become linkable to each other. This problem arose in 
the context of the Trusted Computing Group (TCG). TCG is an industry stan- 
dardization body that aims to develop and promote an open industry standard 
for trusted computing hardware and software building blocks to enable more 
secure data storage, online business practices, and online commerce transactions 
while protecting privacy and individual rights (cf. [19]). TCG is the successor 
organization of the Trusted Computing Platform Alliance (TCPA) . 



P. Samarati et al. (Eds.): ESORICS 2004, LNCS 3193, pp. 73—88, 2004. 
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In principle, the problem just described could be solved using any standard 
public key authentication scheme (or signature scheme): One would generate 
a secret/public key pair, and then embed the secret key into each TPM. The 
verifier and the TPM would then run the authentication protocol. Because all 
TPMs use the same key, they are indistinguishable. However, this approach 
would never work in practice: as soon as one hardware module (TPM) gets 
compromised and the secret key extracted and published, verifiers can no longer 
distinguish between real TPMs and fake ones. Therefore, detection of rogue 
TPMs needs to be a further requirement. 

The solution first developed by TCG uses a trusted third party, the so- 
called privacy certification authority (Privacy CA), and works as follows [17]. 
Each TPM generates an RSA key pair called an Endorsement Key (EK). The 
Privacy CA is assumed to know the Endorsement Keys of all (valid) TPMs. 
Now, when a TPM needs to authenticate itself to a verifier, it generates a second 
RSA key pair called an Attestation Identity Key (AIK), sends the AIK public 
key to the Privacy CA, and authenticates this public key w.r.t. the EK. The 
Privacy CA will check whether it finds the EK in its list and, if so, issues a 
certificate on the TPM’s AIK. The TPM can then forward this certificate to 
the verifier and authenticate itself w.r.t. this AIK. In this solution, there are 
two possibilities to detect a rogue TPM: 1) If the EK secret key was extracted 
from a TPM, distributed, and then detected and announced as a rogue secret 
key, the Privacy CA can compute the corresponding public key and remove it 
from its list of valid Endorsement Keys. 2) If the Privacy CA gets many requests 
that are authorized using the same Endorsement Key, it might want to reject 
these requests. The exact threshold on requests that are allowed before a TPM 
is tagged rogue depends of course on the actual environment and applications, 
and will in practise probably be determined by some risk-management policy. 

This solutions has the obvious drawback that the Privacy CA needs to be 
involved in every transaction and thus highly available on the one hand but 
still as secure as an ordinary certification authority that normally operates off- 
line on the other hand. Moreover, if the Privacy CA and the verifier collude, or 
the Privacy CA’s transaction records are revealed to the verifier by some other 
means, the verifier will still be able to uniquely identify a TPM. Similarly, the 
verifier needs to trust the Privacy CA not to issue certificate to just anybody, 
but only the genuine TPM. These trust relationships are in fact the more severe 
drawback as it is not clear who would provide such a Privacy CA service. 

To overcome these problems, TCG included in the TPM vl.2 specifica- 
tion [18,4] an alternative proposal called direct anonymous attestation. This 
new protocols draws on techniques that have been developed for group signa- 
tures [11,8, 1], identity escrow [14], and credential systems [10,5]. In fact, direct 
anonymous attestation can be seen as a group signature scheme without the 
capability to open signatures (or anonymity revocation) but with a mechanism 
to detect rogue members (TPMs in this case). More precisely, it also employs a 
suitable signature scheme to issue certificates on a membership public key gen- 
erated by a TPM. Then, to authenticate as a group member, or valid TPM, a 
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TPM proves that it possesses a certificate on a public key for which it also knows 
the secret key. To allow a verifier to detect rogue TPMs, the TPM is further re- 
quired to reveal and prove correct of a value Ny = where / is its secret key 
and £ is a generator of an algebraic group where computing discrete logarithms 
is infeasible. As in the Privacy-CA solution, there are two possibilities for the 
verifier to detect a rogue TPM: 1) By comparing Ny with for all /’ s that are 
known to stem from rogue TPMs. 2) By detecting whether he has seen the same 
Ny too many times. Of course, the second method only works if the verifier 
always uses the same (, or at least changes it only rarely. However, ( should not 
be a fixed system parameter as otherwise the user gains almost no privacy - in 
the TCG specification it is proposed that either ( be somehow derived from the 
verifier’s name, e.g., using an appropriate hash function. However, this has the 
drawback that it allows the verifier to link transactions by perfectly honest users 
and hence drastically reduces the privacy offered by the direct anonymous attes- 
tation. In fact, in this respect, direct anonymous attestation is inferior to TCG’s 
initial Privacy CA solution. There, a user can get a new certificate from the 
Privacy CA for each transactions and hence a verifier can not link the different 
transactions (unless it colludes with the Privacy CA). 

In this paper we show how direct anonymous attestation can be modified 
such that it offers the same degree of privacy as the Privacy CA solution but it 
is still possible to detect rogue TPM. That is, it allows the verifier to check the 
frequency a TPM accesses some service but prevents it from doing profiling. The 
idea is to separate the frequency check from the request of the service. This can 
be done as follows: the verifier checks that the TPM’s authentication as a genuine 
TPM using the direct anonymous attestation protocol, performs the frequency 
check and, if the check succeeds, issues an anonymous one-time certificate to the 
TPM/lrost instead of providing the service. In the following we will often call 
this anonymous one-time certificate a frequency certificate. Later, the TPM/host 
can then access the service using the anonymous one-time certificate. Of course, 
this frequency certificate must be such that 

— the issuing of the certificate and its use cannot be linked, 

— it can only be used a single time and with a single verifier, and 

— it is tied to the particular TPM/host, i.e., cannot be transferred. 

The first property can be achieved either by using so-called blind signatures [9] or 
by using an the approach similar to the one used for direct anonymous attestation 
and group signatures [8,4], The second property can be obtained by including 
the verifier’s name and something like a serial number in the certificate. Finally, 
the third property is obtained by ensuring that the DAA attestation and the 
frequency certificate share a common value that is unique for each TPM. This 
value must of course be hidden from the verifier and the Privacy CA, but the 
TPM/host needs to prove to the verifier that the attestation certificate and the 
frequency certificate share such a values. Thus, the TPM/host need to convince 
the verifier not only that they have obtained the frequency certificate from the 
Privacy CA but also that they got attestation and that these two credentials 
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share a common value. Of course, here the TPM/host must use a random base 
C when showing that they have obtained the attestation. 

In this paper we will show how to implement all of this, using the same 
approach to issue and using frequency certificate that is used for anonymous 
attestation. For simplicity we assume that the frequency test are not performed 
by the verifier itself but by a third party which we will call Privacy CA. How- 
ever, we stress that in the remainder of this document, the verifier can be the 
same entity as the Privacy CA without that any security and privacy property 
is compromised. We also note that the protocols we propose are compatible with 
the TCG TPM vl.2 specifications [18,4], That is, while we require some mod- 
ification to the direct anonymous attestation protocol, the parts of it that are 
executed by the TPM (i.e. , realized in hardware) need not to be modified! 

Our protocols as well as direct anonymous attestation [18,4] are based on 
prior work on group signatures and credential systems [1, 5, 6] that relies on the 
strong RSA assumption. While one could also base our protocol on the recently 
proposed groups signature scheme by Boneh, Boyen, Shacham [3] and Camenisch 
and Lysyanskaya [7] that use bi-linear maps, this seems not preferable as this 
would introduce additional computational assumptions to the ones already em- 
ployed by direct anonymous attestation. 



2 Informal Model 

This section provides an informal model of what our protocols is supposed to 
achieve. A formal model is beyond the scope of this extended abstract. However, 
it is not too hard to modify and adapt the model provided in [4] to our purposes. 

The parties in our model are several trusted platform modules (TPMs) , sev- 
eral hosts, an attester, several Privacy CAs, and several verifiers. Each host has 
exclusive access to a TPM. As a TPM is embedded into a host, all communica- 
tion to and from a TPM is routed via its host. We call the pair host and TPM 
also platform. 

The systems consists of the following procedures. 

Key Generation and Setup. There are key generation algorithms for the attester, 
the Privacy CA and the TPM. We assume that each of these parties has made 
its public key authentically available. 

Attestation Protocol. This is a protocol involving the attester, a TPM and the 
corresponding host. The attester ’s input to the protocol is its secret and public 
keys as well as a list of public keys of valid TPMs, the inputs to the TPM 
consists of its secret and public keys and the public key of the attester, and 
the input to the host are the public keys of the attester and the TPM. 

If the protocol terminates successfully, the TPM and host will have obtained 
a attestation certificate from the attester. 

Frequency-Certification Protocol. This is a protocol involving the a Privacy CA, 
a TPM, and the corresponding host. The Privacy CA’s input to the protocol 
is its secret and public keys as well as the public key of the attester, the 
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inputs to the TPM consists of its secret and public keys, the public key of 
the attester and an attestation certificate, and the input to the host are the 
public keys of the attester, the Privacy CA, and the TPM and an attestation 
certificate. Furthermore, the Privacy CA’s input also contains a policy stating 
how frequently a TPM is allowed to obtain a frequency certificate from it. The 
inputs to the TPM consists of its secret and public keys, the public key of 
the attester, and an attestation certificate, and the input to the host are the 
public keys of the attester, the Privacy CA, and the TPM and an attestation 
certificate. 

If the protocol terminates successfully, the TPM and host will have obtained 
a frequency certificate from the Privacy CA while the Privacy CA will have 
obtained a pseudonym of the TPM. 

Verify. This is a protocol involving a verifier, a TPM, and the corresponding 
host. The input of the verifier consists of the public keys of the attester and a 
Privacy CA, the inputs to the TPM consists of its secret and public keys, the 
public key of the attester, an attestation certificate, and a frequency certificate, 
and the input to the host are the public keys of the attester, the Privacy CA, 
and the TPM, an attestation certificate, and a frequency certificate. 

The security requirements are as follows. 

Unforgeability. A TPM-host pair should only obtain a frequency certificate from 
a Privacy CA if it has obtained an attestation certificate from the attester and 
if it has not asked the same Privacy CA for too many frequency certificates 
within a given time. This requires that a TPM-host pair can have only a single 
pseudonym with a given Privacy CA. Furthermore, a frequency certificate 
should be usable only once and with a single verifier. 

Anonymity. All transactions by the TPM-host pair should be unlinkable, except 
transactions with the same Privacy CA. 

3 Preliminaries 

Let {0,1} £ denote the set of all binary strings of length l. We often switch 
between integers and their representation as binary strings, e.g., we write {0, l} f 
for the set [0, — 1] of integers. Moreover, we often use ±{0, l} e to denote the 

set [-2* + l,2 *-l]. 

We need some notation to select the high and low order bits of an integer. Let 
LSB u (:c) := x — 2 u L^rJ and CAR u (:r) := Let (xk ■ ■ .xo)b denote the binary 
representation of x = J2i=o 2 L Xi, e.g., (1001);, is the binary representation of the 
integer 9. Also note that x = LSB„(a;) + 2“CAR [1 (;t). 

In our scheme we will use various protocols to prove knowledge of and re- 
lations among discrete logarithms. To describe these protocols, we use notation 
introduced by Camenisclr and Stadler [8] for various proofs of knowledge of 
discrete logarithms and proofs of the validity of statements about discrete log- 
arithms. For instance, PK{(a,(3, 7) : y = g a hP A y = g Q /i 7 A (u < a < u)} 
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denotes a “ zero-knowledge Proof of Knowledge of integers a, /3, and 7 such that 
y = g a h P and y = g a h 7 holds, where u < a < v” where y,g,h,y,g, and h are 
elements of some groups G = (g) = (h) and G = (g) = (h). The convention is 
that Greek letters denote the quantities the knowledge of which is being proved, 
while all other parameters are known to the verifier. Using this notation, a proof 
protocol can be described by just pointing out its aim while hiding all details. 

In the random oracle model, such protocols can be turned into signature 
schemes using the Fiat-Slramir heuristic [12, 16]. We use the notation SPK{(a) : 
V — g a }(m) to denote a signature obtained in this way and call it proof signature. 



The Camenisch-Lysyanskaya Signature Scheme. The direct anonymous 
attestation scheme as well as our new scheme are both based on the Camenisch- 
Lysyanskaya (CL) signature scheme [6]. Unlike most signature schemes, this one 
is particularly suited for our purposes as it allows for efficient protocols to prove 
knowledge of a signature and to retrieve signatures on secret messages efficiently 
using discrete logarithm based proofs of knowledge [6] . As we will use somewhat 
different (and also optimized) protocols for these tasks than those provided in [6], 
we recall the signature scheme here and give an overview of discrete logarithm 
based proofs of knowledge in the following subsection. 

Key generation. On input l fe , choose a special RSA modulus n — pq , p = 2 p' + 1, 
q = 2 q' + 1. Choose, uniformly at random, Rq, . . . , Rl- 1, S, Z € QR„. Output 
the public key (n, Ro, ■ ■ ■ , Rl~%, S, Z) and the secret key p. Let £ n be the 
length of n. 

Signing algorithm. Let £ m be a parameter. On input (mo, . . . , m^-i) with m,; € 
±{0,l} fm }, choose a random prime number e of length £ e > £ m + 2, and 
a random number v of length £ v = £ n + £ m + £ r , where £ r is a security 
parameter. Compute the value A such that Z = R . . . R™ff 1 S v A e (mod n). 
The signature on the message (mo, . . . , mu) consists of (e, A, v). 
Verification algorithm. To verify that the tuple (e, A, v) is a signature on message 
(mo, • • ■ , ?n_L_i), check that Z = A e R™° . . . R™ff 1 S v (mod n), and check that 
2 le > e> 2 (e ~ 1 . 

Theorem 1 ([6]). The signature scheme is secure against adaptive chosen mes- 
sage attacks [13] under the strong RSA assumption. 

The original scheme considered messages in the interval [0, 2 t - m — 1] . Here, 
however, we allow messages from [— 2 tm + l,2 fm — 1]. The only consequence of 
this is that we need to require that £ e > £ m + 2 holds instead of £ e > £ m + 1. 



The Direct Anonymous Attestation Protocol. In this section we review 
the idea underlying the direct anonymous attestation scheme. The idea is in 
fact similar to the one of the Camenisch-Lysyanskaya anonymous credential sys- 
tem [5,6]: A trusted hardware module (TPM) chooses a secret “message” /, 
obtains a Camenisch-Lysyanskaya (CL) signature (aka attestation) on it from 
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the attester via a secure two-party protocol, and then can convince a verifier 
that it got attestation anonymously by a proof of knowledge of a signature on a 
secret message. To allow the verifier to recognize rogue TPMs, a TPM must also 
provide a pseudonym Ny and a proof that the pseudonym is formed correctly, 
i.e., that it is derived from the TPM’s secret / contained in the attestation and a 
base determined by the verifier. We discuss different ways to handle rogue TPMs 
later. 

Let us now describe this more detailed. Let (n, S, Z, Ro, Ri, R2) be the at- 
tester’s public key for the CL signature scheme. First, for efficiency reasons, the 
TPM’s secret / is split into two If- bit messages to be signed. These (secret) 
messages are denoted by fo and f\ (instead of mo and mi). This split allows 
for smaller primes e as their size depends on the size of the messages that get 
signed, which will make issuing of signature more efficient. The two-party pro- 
tocol to sign secret messages is as follows (cf. [6]). First, the TPM sends the 
attester a commitment to the message-pair (/ 0 , /1), i.e., U := R^ 0 S v ' , where 
v' is a value chosen randomly by the TPM to “blind” the /,;’ s. Also, the TPM 

r 1 f nt. f 

computes Nj := Q° J1 mod T, where fi is a quantity derived from the at- 
tester’s name, and sends U and A/ to the attester. Next, the TPM convinces the 
attester that U and Aj correctly formed (using a proof of knowledge a represen- 
tation of U w.r.t. the bases Rq,Ri,S and A/ w.r.t. fi) and that the ff s lie in 
±{0, i}C+^+A*+2, w h ere anc j 1 0 are security parameters. This interval 

is larger than the one from which the /,’s actually stem because of the proof 
of knowledge we apply here. If the attester accepts the proof, it compares A/ 
with previous such values obtained from this TPM to decide whether it wants 
to issue a certificate to TPM w.r.t. A/ or not. (The attester might not want to 
grant too many credentials to the TPM w.r.t. different Aj, but should re-grant 
a credential to a A/ it has already accepted.) To issue a credential, the attester 
chooses a random t^-bit integer v" and a random £ e -b\t prime e, signs the hidden 
messages by computing A := ( LT g v " ) ^ mod n > and sends the TPM (A, e,i>"). 
The attester also proves to the TPM that she computed A correctly. The signa- 
ture on (/o, /1) is then (A, e, v := v’ + v "), where v should be kept secret by the 
TPM (for fo and /1 to remain hidden from the attester), while A and e can be 
public. This concludes the description of the DAA-Join protocol. 

A TPM can now prove that it has obtained attestation by proving that it got 
a CL-signature on some values fo and /1 . This can be done by a zero-knowledge 
proof of knowledge of values /o, fi, A, e, and v such that A e R.( j °R{ 1 S v = Z 
(mod n). Also, the TPM computes Ay := 2 1 moc i p anc i proves that the 

exponent here is related to those in the attestation, where ( G (7), i.e., the 
subgroup of Z * r of order p. This proof of knowledge is turned into a signature 
scheme using the Fiat-Shamir heuristic. The specification provides to modes for 
this signature scheme: in one mode, an arbitrary message can be signed, in the 
other mode an attestation identity key (AIK) generated by the TPM is signed. 
This ensures that the verifier can tell whether a signed AIK was indeed produced 
by and is held inside a TPM. The resulting procedure is called DAA-Sign. 
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The base ( is either chosen randomly by the TPM or is generated from a 
basename value bsny provided by the verifier. As mentioned in the introductions, 
the value Ny serves two purposes. The first one is rogue-tagging: If a rogue TPM 
is found, the values /o and /i are extracted and put on a blacklist. The verifier 
can then check Ny against this blacklist by comparing it with £f°+fi 2 1 for all 
pairs (foifi) 011 the black list. Note that i) the black list can be expected to 
be short, ii) the exponents /o + /i2 £/ are small (e.g., 200-bits), and iii) batch- 
verification techniques can be applied [2]; so this check can be done efficiently. 
Also note that the blacklist need not be certified, e.g., by a certificate revocation 
agency: whenever /o, /i, A, e, and v are discovered, they can be published and 
everyone can verify whether (A, e, v) is a valid signature on /o and /j. The second 
purpose of Ny is its use as a pseudonym, i.e. , if £ is not chosen randomly by the 
TPM but generated from a basename then, whenever the same basename bsny 
is used, the TPM will provide the same value for Ny. This allows the verifier to 
link different transactions made by the same TPM while not identifying it, and 
to possibly reject a Ny if it appeared too many times. By defining how often a 
different basename is used (e.g., a different one per verifier and day), one obtains 
the full spectrum from full identification to pseudonymity to full anonymity. The 
way the basename is chosen, the frequency it is changed, and the threshold on 
how many times a particular Ny can appear before a verifier should reject it, 
is a question that depends on particular scenarios/applications and is outside of 
the scope of this paper. 

The actual anonymous attestation protocols outsources some operations of 
the TPM to the host in which the TPM is embedded. In particular, these are 
operation that are related to hiding the TPM’s identity but not to the capability 
of producing a proof-signature of knowledge of an attestation. The rationale 
behind this is that the host can always reveal a TPM’s identity. 

4 Better Privacy Using a Two Stage Authorization 

In this section we describe how we can achieve better privacy if we combine 
the direct anonymous attestation protocols with the Privacy CA approach. We 
will first describe the solution on a high level, similarly to the description of the 
direct anonymous attestation in the previous section. We will then describe the 
different protocols of our new scheme in more detail. 

High-Level Idea. Recall that using the DAA-join protocol, a TPM can get a 
certificate (A,e,v) from an attester such that A e R( ) 0 R[ 1 S v = Z (mod n) holds, 
where /o, fi, and v are only known to the TPM and (ffo, Ri, S, Z , n) are values 
of the attester’s public key. Using the DAA-sign protocol, a TPM can convince 
a verifier that it has obtained such a certificate without revealing any other 
information. That is, it can convince the verifier that it knows values A, e, /o, 
/i, and v such that the above equation holds. 

Now for our scheme, we need to modify the DAA-Join protocol such that 
the attester not only signs the secret keys of the TPM but also some value k t 
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the attester chooses such that it is unique for each TPM. That is, the certificate 
(A,e,v) the TPM/lrost obtains from an attester will satisfy 

A e R f 0 °R{ 1 R% t S v = Z (mod n) , 

and Ri is an additional value of the attester ’s public key. From this is also 
follows that kt should be an if- bit value. Of course, the attester has to send 
kt to the TPM. This value will then also be part of all other the certificates 
issued to the platform. The value of kt could for instance be derived from the 
TPM’s endorsement key EK or in some other way; there is no cryptographic 
requirement on how kt is chosen such as requiring that kt is a cryptographic 
hash of EK. 

Let us now look at how a frequency certificate is issued. Let (n, S, Z, Rq, Ri, R 2 ) 
be the Privacy CA’s public key for the CL signature scheme. Now, in order to 
get an anonymous frequency certificate from the Privacy CA, the TPM/host 
show the attestation certificate to the Privacy CA using a long-term named base 
£ for the computation of Ny and, if Ny passes the Privacy CA’s frequency test, 
they will obtain a frequency certificate (A, e, v) from the Privacy CA such that 

A e Rq° R'l 1 R£* R® x P“ date S v = Z (mod n) 

holds, where kt is the same values as in the attestation, ko and ki are val- 
ues chosen by the host, and exp-date is an encoding of the expiration date 
of the certificate (the different possible values of exp-date should be small to 
guarantee privacy). In getting this certificate from the Privacy CA, the TPM 
will need to be only involved in showing the attestation but not in anything 
related to the frequency certificate. The ko and k\ should identify the veri- 
fier and some random number in a cryptographically secure way, e.g., ko '■= 
LSBf / (IL(verif ier-name||ran)) and k\ := CAR #/ (IL(verif ier-name||ran)). 

Finally, when the host wants to show a verifier that is has obtained a certifi- 
cate from the Privacy CA, the TPM/host convince the verifier that 1) they have 
a valid attestation (using a random base ( in this proof), 2) they have a certifi- 
cate from the Privacy CA, 3) the attestation and the certificate are linked by a 
common values (i.e., kt), and 4) the certificates contains verifier-name, ran, 
and exp-date. That it, the TPM/host jointly proof knowledge of values This can 
be done by a zero-knowledge proof of knowledge of values fo , fi, A , e, and v, kt, 
A, e, v such that A e R f 0 ° r{' R% S v = Z (mod n) and A e R^R^R^R e 3 x ^ date S v = Z 
(mod n) hold (note that the verifier can compute ko and k± himself). 



Security Parameters. Our protocol employ the same security parameters as 
the direct anonymous attestation protocol [4], i.e., t n , if, £ e , £' e , £ v , £ 0 , in, £ r , 
ir, and i p , where £ n (2048) is the size of the RSA modulus, if (104) is the size 
of the ft s (information encoded into the certificate), £ e (368) is the size of the 
e’s (exponents, part of certificate), £' e (120) is the size of the interval the e’s are 
chosen from, £ v (2536) is the size of the i>’s (random value, part of certificate), £ 0 
(80) is the security parameter controlling the statistical zero-knowledge property, 
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t-H (160) is the output length of the hash function used for the Fiat-Shamir 
heuristic, l T (80) is the security parameter needed for the reduction in the proof 
of security, £p (1632) is the size of the modulus T, and t p (208) is the size of 
the order p of the sub group of h* r that is used for rogue-tagging (the numbers 
in parentheses are our proposal for these parameters). We require that: l e > 
£■0 + + nr&x{£f + 4 , £' e 2}, £ v > t n + £ 0 + t-R + max{y + £ r + 3 , (.0 + 2}, 

and £ p = 2£f. 

The parameters ir and i p should chosen such that the discrete logarithm 
problem in the subgroup of Z* r of order p with r and p being primes such that 
2 ep > p > 2 lp ~ 1 and 2 ir > T > 2 tr ~ 1 , has about the same difficulty as factoring 
£„-bit RSA moduli (see [15]). 

Finally, let H be a collision resistant hash function TL : {0, 1}* — * {0, 1} (?< . 

Key Generation and Setup. The attester runs the following key-generation al- 
gorithm. 

1. It chooses a RSA modulus n = pq with p = 2p' + 1, q = 2q' + 1 such that 
p,p' , q, q' are all primes and n has £ n bits. 

2. It chooses a random element g' Gr of order p'q'. 

3. Next, it chooses random integers Xo, Xi,X2,x z , x s , Xh,x g £ [1 ,p'q'] and com- 
putes g := g' Xg mod n, h := g' Xh mod n, S := h Xs mod n, Z := h Xz mod n, 
R 0 := S x ° mod n, R\ := S Xl mod n, R2 := S X2 mod n. 

4. It produces a non-interactive proof proof that Rq, Ri, S, Z , g , and h are 
computed correctly, i.e., that g,h G ( g '), S,Z G (h), and R 0 ,Ri,R 2 G ( S ) 
(see [4] for how this is done). 

5. Output the public key (n, g' ,g, h, S, Z , Rq, Ri,Rq) and the secret key ( p , q). 

We denote the resulting public key for the attester by PKj := ( n , g' , g, h, S, Z, 
Rq , R\ , R2 ) - The Privacy CA runs the same key generation algorithm, except 
that it also generates a third base R3 in the same way that Rq, , Rq are 
generated. We denote the thus generated public key of the Privacy CA by 
PK P := (n, g', g, h, S, Z, R 0 , Ri, R 2 . R3) 

The attester furthermore makes available a group (7) of prime order p, i.e., it 
chooses primes p and T such that T = rp + 1 for some r with p \ r, 2 t * r ~ 1 < T < 
2 t ' r , and 2 tp ~ 1 < p < 2 e i>. Choose a random 7 ' Gr h* r such that y( r-1 )/ p y \ 
(mod r) and set 7 := 7^ r_1 ^ p mod T. 

Finally, each TPM has generated an endorsement key, i.e., an RSA encryption 
public key, and has made it available to the attester. We refer to the TCG TPM 
specification [18,4] for how this is done. 



The Attestation Protocol. Let PKj := ( n , g 1 , g, h, S, Z, Rq, Ri, R2, 7, T, p) be 
the public key of the attester. Let Q = (Ur(l||bsn/))( r ~ 1 )/ p mod T, where bsn/ 
is the attester ’s long-term base name. 

We assume that the TPM somehow authenticates itself towards the attester 
using its endorsement key before the protocol below is run. We refer to the TCG 
TPM specification [18,4] for how this is done. 
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The protocol’s input to the TPM is (n, Ro, Ri, S, p, T) and its input to the 
host is ( n,g',g,h , S, Z, R 0 , Ri, R 2 , 7, r , p). 

1. The host computes Q := (ffr(l|!bsn/))( r ~ 1 )/ p mod T and sends Q to the 
TPM. 

2. The TPM checks whether £ 7 = 1 (mod T). 

3. Let i := (* will be 1 for values of the parameters selected in Sec- 

tion 4). 

The TPM computes 

/:= ff(ff(seed||ff(P^))||cnt||0)||...|| 

H(H(seed\\H(PK , I ))\\cnt\\i) (mod p) , 

fo ■= LSB fi := CAR e f (f), v' €r {0,1}^+^, U := R S 0 ° R{ x S v ' mod n, 

and Ni := ^j 0+ R 2 f mo d T, and sends U and Ni to the attester. 

4. The TPM proves to the attester knowledge of fo, fi, and v': it executes as 
prover the proof signature 

SPK{{fo, h,v') : fo,fl G {0,1 yf+tz+tn +2 A v ' G { 0 , i}<»+^+/«+2 A 
U = ±R f o°R f 1 1 S v ' (mod n) A TV/ = (mod r)} 

with the attester as the verifier. 

5. The attester chooses v G_r {0,1}^ _1 , a prime e €r [2 (e ~ 1 ,2 ie ~ 1 + 2 e '^~ 1 }, 
and an appropriate and unique k t , computes v" := v + 2 tv ~ 1 and 

A := ( — /ik z t ) 1 ^ e mod n, and sends (A,e,v") and k t to the host. 

6. To convince the platform that A was correctly computed, the attester as 
prover runs the proof signature 

SPK{ (d): A = ± ( US v„ R k t ) d ( mod n ) } 

with the host as verifier. 

7. The host verifies whether e is a prime and lies in [2 le ~ 1 1 2 ie ~ 1 + 2^ -1 ]. The 
host sends v" to the TPM. The host stores A , e, and k t - 

The only change we have made to this protocol is that A is computed dif- 
ferently. That is, the term Rif does not appear in the original DAA protocol in 
any of the computations of A. In particular, we did not modify anything that 
involves the TPM, so our modified protocol is compatible with the TCG TPM 
vl.2 specification [18,4]. 



Obtaining a One-Time Certificate from the Privacy-CA. In this section 
we describe how the TPM/host convince the Privacy CA that the got an attes- 
tation certificate, how they obtain a frequency certificate from it, and how it is 
ensured that this certificate will also contain the value kt that is contained on 
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the attestation certificate. The protocol for this can be seen as a combination of 
the DAA-join protocol and the DAA-sign and DA A- verify algorithms. 

Let PK P ■= (n,g',g, h,S, Z, R 0 ,Ri,R 2 ,R 3 ) be the public key of the Privacy 
CA. Let n p € {0, 1 Y h be a nonce and bsnp a base name value provided by the 
Privacy CA. 

The input to the protocol for the TPM is (n, Rq , Ri , i? 2 , S = S 2<? “ , T. p) 
and (/o, /i, vi, i> 2 ), and the host’s input to the protocol is the certificate (A, e) 
and, (n,g,g',h, R 0 ,R 1 ,R 2 ,S,Z,'y,r,p) and (n, g', g, h, S, Z, R 0 , Ri, R 2 , R 3 ). The 
frequency certification protocol is as follows: 

1. (a) The host computes £ := (.ffp(l||bsnp))(- r_1 )/ p mod r and sends £ to the 

TPM. 

2. (a) The host picks random integers w,r G [1, [fj] and computes Tj := 

Ah w mod n and T 2 := g w h e (g') r mod n. 

(b) The TPM computes Np := £-f°+A 2 1 mod r and sends Np to the host. 

(c) Let ran be a sufficiently large random string chosen by the host, e.g., 
ran Gp {0,l} fw . Let ko := LSBf / (7L(verif ier-name||ran)) and k\ := 
CARf / (iL(verifier-namejjran)). The host picks a random integer v' Gp 

[0, LfJ] and computes U := Ry° R(’ R 2 ‘ S v mod n. 

3. To prove that U was computed correctly, that the TPM/lrost has obtained at- 
testation, and that it contains the same value of kt as does U, the host/TPM 
jointly perform the following proof signature 

SPK{(f 0 , f 1: v, e, w, r, k t , k 0 , k 1: v') : 

Z = TfR f 0 °R f 1 1 R^ t S v h- ew (mod n) A T 2 = g w h e g ,r (mod n) A 
1 = T^ e g ew h ee g ,er (mod n ) A N P = £*+A 2 ^ ( mod r ) A 
U = R*°R k 1 1 R* t S v ' (mod n) A 

fo, fl,k U ko, fci G {0, 1 yt+te+t-n+2 A ( e — 2^) € {0, 1 }4+**+*tt + 1 } 

as prover with the Privacy CA as verifier. We show in the full version of this 
paper how this can be done. 

4. The Privacy CA checks whether £ = (iLp(l|jbsnp))( r_1 )/ p (mod r). 

? 

5. For all (fo, fi) on the revocation list, check if Np ^ (£/o+/i 2 f ) (mod r). 

6. The Privacy CA checks whether Np has appeared too often lately, i.e., per- 
forms the frequency checks on Np. 

7. Let exp-date € {0, 1} £/ encode the certificate’s expiration date. The Pri- 
vacy CA chooses v Gp {0, and a prime e Gp [2^ e_1 ,2^ e_1 + 2^ -1 ] 
and computes v" := v + 2^” -1 and A := ( URe x P -late Sv // ) 1 ^ mod n, and sends 
(A, e, v") and exp-date to the host. 

8. To convince the platform that A was correctly computed, the attester as 
prover runs the proof signature 

SPK{(d) : A = ±( URexp l tesv J rf (mod n)} 



with the host as verifier. 
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9. The host verifies whether e is a prime and lies in [2^ e_1 , 2^ e_1 + 2^ -1 ]. The 
host computes v := v" + v', verifies A e Ro' J R( :i R(j Rg Xp date S v = Z (mod n) and 
stores (A,e,v) together with verif ier-name, ran, and exp-date. 

As mentioned this protocol can be seen as a merge of the DA A- Join and the 
DAA-Sign protocols. However, as far as the TPM is concerned it is basically 
the DAA-Sign protocol, all other operations are solely carried out on the host. 
This can be easily be seen for all steps of the protocol, apart from the step 3 
where the TPM and host proof that they got an attestation certificate, that the 
value U was computed correctly, and that the attestation certificate and U both 
contained the same (secret) value . How this proof is exactly done is described 
in the full version of this paper. The idea of it is that the TPM executes all its 
operations of the DAA-sign protocol, i.e., it basically executes the proof signature 
SPK{(f 0 , /i, u) : (Z/A e ) = Rl 0 R f 1 1 S v mod n AN V = C /o+/l2 " / (mod T)}, which 
the host then extends to the full proof of step 3. Note that this proof does not 
involve any terms related to the Privacy CA. Thus, our protocol is compatible 
with the DAA-Sign protocol as in the TCG TPM vl.2 specification [18,4]. 

We finally remark that the expiration date selected by the Privacy CA will 
later also be shown to the verifier. Thus it, if it is chosen too fine-grained, 
the Privacy CA and the verifier could link the transactions by the expiration 
date. Specifying the expiration date in days should be fine for most applications 
Moreover, as the certificate can be used only one, there seems to be no strong 
reason to even have an expiration date at all. If no expiration date is required 
one can just set exp-date = 0, or just drop all terms Rg Xp date . 

Using the Certificate from the Privacy CA. In this section we finally 
provide the procedure for the TPM/host to convince that they got an attestation 
certificate and a frequency certificate. The procedure can be seen as running 
two instances of the DAA-sign protocol in parallel, one w.r.t. the attestation 
certificate and one w.r.t. the frequency certificate. In the latter instance, however, 
the TPM is not involved at all - here the host plays also the role of the TPM. 

Let n v € {0, \ Y n be a nonce provided by the verifier. Let b be a byte de- 
scribing the mode of the protocol, i.e., b = 0 means that the message to is an 
AIK generated by the TPM and 6 = 1 means that the message m was input to 
the TPM. 

The input to the protocol of for the TPM is to, (n, Rq, Ri,S, S' = S 12 ^ , T, p) 
and (/o, /i, Ui, U2), and the host’s input to the protocol is to, the certificate (A, e) 
and, (n,g,g',h, R 0 , Ri, S, Z,7, T, p); 

Let PK P := (n,g',g, h, S, Z, R 0 , Ri, R 2 ) be the public key of the Privacy CA. 
The signing algorithm is as follows. 

1. The host sends the verifier verif ier-name, ran, and exp-date who checks 
whether verifier-name is correct, whether ran is a value that he has not 
seen so far, and whether exp-date is still valid. 

2. (a) The host chooses a random ( Gr (7) and sends ( to the TPM. 

(b) The host receives Ny from the TPM (however, we don’t use Ny in the 
following) . 
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3. (a) The host picks random integers w,r G [1, |_f_|] and computes Ti := 

Ah w mod n and T 2 := g w h e (g') r mod n. 

(b) The host picks random integers w, r G [1, LlJ] and computes Ti := 
Ah'" mod n and T 2 := g w h e (g') r mod n. 

4. The host sends Ti, T 2 , Ti, T2, exp-date, verifier-name, and ran to the 
verifier. 

5. The verifier checks whether it has seen ran before. If that is the case, the 
verifier aborts. Otherwise, it computes 

fc 0 := LSB£ / (if(verifier-namejjran)) (1) 

jfei := CAR^ / (if(verifier-namejjran)) (2) 

6. To prove that the TPM/host has obtained attestation, that it has obtained a 
one-time certificate from the Privacy CA that contains the values ko, k\ and 
exp-date as well some value (Ay) that is also contained in the attestation, 
the host/TPM jointly perform the following proof signature 

SPK{(f 0 , fi,v, e, w, r , k t , v, e, w, r) : T 2 = g w h e g" (mod n) A 

Z = T^R f 0 °R f 1 1 R^S v h- ew (modn) A 1 = Tff e g ew h ee g' er (mod n) A 

T 2 = g w h e g' r Hn) A ^^eTIR^SV* (mod n) A 

Kq K 3 

1 = T 2 - e g ew h e Y er (mod n) A / 0 , / 1 , k t G {0, l}*/+*«+*«+2 A 

(e - 2 / -), (e - 2 ^) G {0, l}<+^ + ^ +1 }(n t ||n p ||6||m) 

as prover with the Privacy CA as verifier, where rit is a nonce generated by 
the TPM. We refer to the full version of this paper for the details on how 
the TPM and the host jointly compute this proof signature. 

Apart from the proof signature in the last step of the protocol, it is clear that 
the TPM performs only the operations as it would in the DAA-sign protocol. In 
the full version of this paper, we show that also in order to generate this proof 
signature, it is sufficient if the TPM only executes the steps from the DAA-sign 
protocol. Thus, also this protocol does not requires any change to the TPM as 
specified [18]. 



Security Analysis. Providing a formal proof of security is beyond the scope 
of this extended abstract; we will only provide an informal discussion why the 
proposed protocol meet the requirements listed in Section 2. However, given 
the proof of security of the original direct anonymous attestation protocol [4], 
deriving a proof of security for the protocols described in this paper is not too 
hard. 

We argue why the requirements from Section 2 are fulfilled. 

Unforgeability. First note that due to the properties of the direct anonymous 
attestation scheme, a TPM/host pair can only generate a DAA-signature if it 




Better Privacy for Trusted Computing Platforms 



87 



has obtained an attestation certificate. Furthermore, if the same base £ is used 
in the signature, the pseudonym Np (resp. Ny) contained in the signature will 
be the same for all DAA-signatures produced by the TPM/host. Thus a TPM- 
lrost pair can not have more than one pseudonym with the same Privacy CA 
and will only obtain a frequency certificate if it is indeed entitled to obtain one. 
Furthermore, a TPM-lrost pair can use a frequency certificate only once and 
only with a single verifier. This is ensured by deriving the fco and fci that are 
included into the frequency certificate from verifier-name and ran. Changing 
these values can only be done if one could forge frequency certificates or break 
the hash function. Thus, if the verifier only accepts certificates where ko and fci 
are derived from it’s name and a random string ran that it had not seen before, 
a frequency certificate can only be used with a single verifier and only once. 

Anonymity. Apart from the zero-knowledge proofs and the pseudonyms Np, all 
values that the TPM-host pair ever reveal are information theoretic commit- 
ments, or values that appear only in a single transaction. For instance, a value 
ran will appears only in a transaction with a verifier in the clear; in the cor- 
responding transaction with the Privacy CA it appears only in a commitment. 
Furthermore, it is not hard to show that all the proofs protocols employed are 
statistically zero-knowledge. Thus, the pseudonyms Np are the only information 
that could be used to link transactions. However, if it is ensured that the Privacy 
CAs each use a different base £, then the only transaction by the same TPM- 
lrost pair that can be linked are those made with the same Privacy CA, provided 
the decisional Diffie Heilman assumption is true. Ensuring that each Privacy CA 
indeed uses a different base could for instance be done by requiring that it is 
derived by the Privacy CA’s name using a hash function. Thus anonymity is 
guaranteed even if the attester, all Privacy CAs, and all verifiers collude. 

This assumes of course that the TPM-host pairs do chose the time at which 
to run the protocol to obtain a frequency certificate and the protocol to show 
it such that these instances become not linkeable solely by the time they are 
executed. 

We finally note that because of the anonymity property even holds if the 
verifiers and the Privacy CAs collude, the role of the Privacy CAs can assume 
by the verifiers. Thus our solution overcomes the main drawback of the original 
Privacy CA solution where the TPM/host needs to trust these parties not to 
collude and hence this separation was needed. 

5 Conclusion 

We have shown how to modify the direct anonymous attestation protocol as to 
provide the same level of privacy as the TCG’s initial Privacy CA solution while 
avoiding all the drawbacks of it. In particular, in our solution the TPM-host pair 
no longer needs to trust the Privacy CA which drastically lowers the requirements 
for running such a Privacy CA. In fact, in our solution the Privacy CA and the 
verifier can be the same party without loosing any security properties. 
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Abstract. We present the first cryptographically sound security proof of the 
well-known Otway-Rees protocol. More precisely, we show that the protocol 
is secure against arbitrary active attacks including concurrent protocol runs if 
it is implemented using provably secure cryptographic primitives. Although we 
achieve security under cryptographic definitions, our proof does not have to deal 
with probabilistic aspects of cryptography and is hence in the scope of current 
proof tools. The reason is that we exploit a recently proposed ideal cryptographic 
library, which has a provably secure cryptographic implementation. Together with 
composition and preservation theorems of the underlying model, this allows us 
to perform the actual proof effort in a deterministic setting corresponding to a 
slightly extended Dolev-Yao model. Besides establishing the cryptographic secu- 
rity of the Otway-Rees protocol, our result also exemplifies the potential of this 
cryptographic library. We hope that it paves the way for cryptographically sound 
verification of security protocols by means of formal proof tools. 

1 Introduction 

Many practically relevant cryptographic protocols like SSL/TLS, IPSec, or SET use 
cryptographic primitives like signature schemes or encryption in a black-box way, while 
adding many non-cryptographic features. Vulnerabilities have accompanied the design 
of such protocols ever since early authentication protocols like Needham-Schroeder 
[34, 15], over carefully designed de-facto standards like SSL and PKCS [40, 13], up to 
current widely deployed products like Microsoft Passport [17]. However, proving the 
security of such protocols has been a very unsatisfactory task for a long time. 

One way to conduct such proofs is the cryptographic approach, whose security def- 
initions are based on complexity theory, e.g., [19, 18,20, 10]. The security of a cryp- 
tographic protocol is proved by reduction, i.e., by showing that breaking the protocol 
implies breaking one of the underlying cryptographic primitives with respect to its cryp- 
tographic definition. This approach captures a very comprehensive adversary model and 
allows for mathematically rigorous and precise proofs. However, because of probabil- 
ism and complexity-theoretic restrictions, these proofs have to be done by hand so far, 
which yields proofs with faults and imperfections. Moreover, such proofs rapidly be- 
come too complex for larger protocols. 

The alternative is the formal-methods approach, which is concerned with the au- 
tomation of proofs using model checkers and theorem provers. As these tools currently 
cannot deal with cryptographic details like error probabilities and computational re- 
strictions, abstractions of cryptography are used. They are almost always based on the 
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so-called Dolev-Yao model [16]. This model simplifies proofs of larger protocols con- 
siderably and has given rise to a large body of literature on analyzing the security of 
protocols using various techniques for formal verification, e.g., [31, 29, 25, 14, 37, 1 ]. 

Among the protocols typically analyzed in the Dolev-Yao model, the Otway-Rees 
protocol [35], which aims at establishing a shared key between two users by means of 
a trusted third party, stands out as one of the most prominent protocols. It has been 
extensively studies in the past, e.g., in [36,24,37], and various new approaches and 
formal proof tools for the analysis of security protocols were validated by showing that 
they can prove the protocol in the Dolev-Yao model (respectively that they can find the 
well-known type-flaw attack if the underlying model does not provide sufficient typing 
itself; the model that our proof is based upon excludes this attack). However, all existing 
proofs of security of the Otway-Rees protocol are restricted to the Dolev-Yao model, 
i.e., no theorem exists which allows for carrying over the results of an existing proof to 
the cryptographic approach with its much more comprehensive adversary. Thus, despite 
of the tremendous amount of research dedicated to the Otway-Rees protocol, it is still 
an open question whether an actual implementation based on provably secure crypto- 
graphic primitives is secure under cryptographic security definitions. We close this gap 
by providing the first security proof of the Otway-Rees protocol in the cryptographic 
approach. We show that the protocol is secure against arbitrary active attacks if the 
Dolev-Yao-based abstraction of symmetric encryption is implemented using a symmet- 
ric encryption scheme that is secure against chosen-ciphertext attacks and additionally 
ensures integrity of ciphertexts. This is the standard security definition of authenticated 
symmetric encryption schemes [12, 11], and efficient symmetric encryptions schemes 
provably secure in this sense exist under reasonable assumptions [ 1 1, 39]. 

Obviously, establishing a proof in the cryptographic approach presupposes dealing 
with the mentioned cryptographic details, hence one naturally assumes that our proof 
heavily relies on complexity theory and is far out of scope of current proof tools. How- 
ever, our proof is not performed from scratch in the cryptographic setting, but based 
on a recently proposed cryptographic library [8, 9, 7], which provides cryptographically 
faithful, deterministic abstractions of cryptographic primitives, i.e., the abstractions can 
be securely implemented using actual cryptography. Moreover, the library allows for 
nesting the abstractions in an arbitrary way, quite similar to the original Dolev-Yao 
model. While this was shown for public-key encryption and digital signatures in [8] 
and subsequently extended with message authentication codes in [9], the most recent 
extension of the library further incorporated symmetric encryption [7] which constitutes 
the most commonly used cryptographic primitive in the typical proofs with Dolev-Yao 
models, and also serves as the central primitive for expressing and analyzing the Otway- 
Rees protocol. However, as shown in [7], there are intrinsic difficulties in providing a 
sound abstraction from symmetric encryption in the strong sense of security used in [8]. 
Very roughly, a sound Dolev-Yao-style abstraction of symmetric encryption can only be 
established if a so-called commitment problem does not occur, which means that when- 
ever a key that is not known to the adversary is used for encryption by an honest user 
then this key will never be revealed to the adversary. We will elaborate on the origin of 
this problem in more detail in the paper. While [7] discusses several solutions to this 
problem, the one actually taken is to leave it to the surrounding protocol to guarantee 
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that the commitment problem does not occur, i.e., if a protocol that uses symmetric en- 
cryption should be faithfully analyzed, it additionally has to be shown that the protocol 
guarantees that keys are no longer sent in a form that might make them known to the 
adversary once an honest participant has started using them. Our proof shows that this is 
a manageable task that can easily be incorporated in the overall security proof without 
imposing a major additional burden on the prover. 

Once we have shown that the Otway-Rees protocol does not raise the commitment 
problem, it is sufficient to prove the security of the Otway-Rees protocol based on 
the deterministic abstractions; then the result automatically carries over to the crypto- 
graphic setting. As the proof is deterministic and rigorous, it should be easily express- 
ible in formal proof tools, in particular theorem provers. Even done by hand, our proof 
is much less prone to error than a reduction proof conducted from scratch in the cryp- 
tographic approach. We also want to point out that our result not only provides the 
up-to-now missing cryptographic security proof of the Otway-Rees protocol, but also 
exemplifies the usefulness of the cryptographic library [8] and their extensions [9,7] for 
the cryptographically sound verification of cryptographic protocols. 

Further Related Work. Cryptographic underpinnings of a Dolev-Yao model were first 
addressed by Abadi and Rogaway in [3]. However, they only handled passive adver- 
saries and symmetric encryption. The protocol language and security properties handled 
were extended in [2,26], but still only for passive adversaries. This excludes most of 
the typical ways of attacking protocols, e.g., man-in-the-middle attacks and attacks by 
reusing a message part in a different place or a concurrent protocol run. A full crypto- 
graphic justification for a Dolev-Yao model, i.e., for arbitrary active attacks and within 
arbitrary surrounding interactive protocols, was first given recently in [8] with exten- 
sions in [9,7], Based on the specific Dolev-Yao model whose soundness was proven 
in [8], the well-known Needham-Schroeder-Lowe protocol was proved in [6]. Besides 
the proof that we present in this paper, the proof in [6] is the only Dolev-Yao-style, 
computationally sound proof that we are aware of. However, it is considerably simpler 
than the one we present in this work since it only addresses integrity properties whereas 
our proof additionally establishes confidentiality properties; moreover, the Needham- 
Schroeder-Lowe protocols does not use symmetric encryption, hence the commitment 
problem does not occur there which greatly simplifies the proof. Another cryptograph- 
ically sound proof of this protocol was concurrently developed by Warinschi [41], The 
proof is conducted from scratch in the cryptographic approach which takes it out of the 
scope of formal proof tools. 

Laud [27] has recently presented a cryptographic underpinning for a Dolev-Yao 
model of symmetric encryption under active attacks. His work enjoys a direct con- 
nection with a formal proof tool, but it is specific to certain confidentiality properties, 
restricts the surrounding protocols to straight-line programs in a specific language, and 
does not address a connection to the remaining primitives of the Dolev-Yao model. 
Herzog et al. [21,22] and Micciancio and Warinschi [30] have recently also given a 
cryptographic underpinning under active attacks. Their results are considerably weaker 
than the one in [8] since they are specific for public-key encryption; moreover, the for- 
mer relies on a stronger assumption whereas the latter severely restricts the classes of 
protocols and protocol properties that can be analyzed using this primitive. Section 6 
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of [30] further points out several possible extensions of their work which all already 
exist in the earlier work of [8]. 

Efforts are also under way to formulate syntactic calculi for dealing with probabil- 
ism and polynomial-time considerations, in particular [32,28,33,23] and, as a second 
step, to encode them into proof tools. However, this approach can not yet handle pro- 
tocols with any degree of automation. Generally it is complementary to, rather than 
competing with, the approach of proving simple deterministic abstractions of cryptog- 
raphy and working with those wherever cryptography is only used in a blackbox way. 

Outline. Section 2 introduces the notation used in the paper and briefly reviews the 
aforementioned cryptographic library. Section 3 shows how to model the Otway-Rees 
protocol based on this library as well as how initially shared keys can be represented 
in the underlying model. Section 4 contains the security property of the Otway-Rees 
protocol in the ideal setting, and this property is proven in Section 5. Section 6 shows 
how to carry these results over to the cryptographic implementation of the protocol. 
Section 7 concludes. 

2 Preliminaries 

In this section, we give an overview of the ideal cryptographic library of [8, 9, 7] and 
briefly sketch its provably secure implementation. We start by introducing the notation 
used in this paper. 

2.1 Notation 

We write for deterministic and ” for probabilistic assignment. Let J, denote 
an error element available as an addition to the domains and ranges of all functions 
and algorithms. The list operation is denoted as l := (x\, . . . , Xj), and the arguments 
are unambiguously retrievable as l[i\, with l[i] = j if i > j. A database D is a set of 
functions, called entries, each over a finite domain called attributes. For an entry x £ D, 
the value at an attribute att is written x.att. For a predicate pred involving attributes, 
D[pred } means the subset of entries whose attributes fulfill pred. If D[pred } contains 
only one element, we use the same notation for this element. 

2.2 Overview of the Ideal and Real Cryptographic Library 

The ideal (abstract) cryptographic library of [8, 9, 7] offers its users abstract crypto- 
graphic operations, such as commands to encrypt or decrypt a message, to make or test 
a signature, and to generate a nonce. All these commands have a simple, deterministic 
semantics. To allow a reactive scenario, this semantics is based on state, e.g., of who 
already knows which terms; the state is represented as a database. Each entry has a type 
(e.g., “ciphertext”), and pointers to its arguments (e.g., a key and a message). Further, 
each entry contains handles for those participants who already know it. A send opera- 
tion makes an entry known to other participants, i.e., it adds handles to the entry. The 
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ideal cryptographic library does not allow cheating. For instance, if it receives a com- 
mand to encrypt a message m with a certain key, it simply makes an abstract database 
entry for the ciphertext. Another user can only ask for decryption of this ciphertext if 
he has obtained handles to both the ciphertext and the secret key. To allow for the proof 
of cryptographic faithfulness, the library is based on a detailed model of asynchronous 
reactive systems introduced in [38] and represented as a deterministic machine TH-^, 
called trusted host. The parameter H C { 1 . . . , n} denotes the honest participants, 
where n is a parameter of the library denoting the overall number of participants. De- 
pending on the considered set TL, the trusted host offers slightly extended capabilities for 
the adversary. Flowever, for current purposes, the trusted host can be seen as a slightly 
modified Dolev-Yao model together with a network and intruder model, similar to “the 
CSP Dolev-Yao model” or “the inductive-approach Dolev-Yao model”. 

The real cryptographic library offers its users the same commands as the ideal one, 
i.e., honest users operate on cryptographic objects via handles. The objects are now real 
cryptographic keys, ciphertexts, etc., handled by real distributed machines. Sending a 
term on an insecure channel releases the actual bitstring to the adversary, who can do 
with it what he likes. The adversary can also insert arbitrary bitstrings on non-authentic 
channels. The implementation of the commands is based on arbitrary secure encryp- 
tion and signature systems according to standard cryptographic definitions, with certain 
additions like type tagging and additional randomizations. 

The security proof of [8] states that the real library is at least as secure as the ideal 
library. This is captured using the notion of reactive simulatability [38], which states 
that whatever an adversary can achieve in the real implementation, another adversary 
can achieve given the ideal library, or otherwise the underlying cryptography can be 
broken [38]. This is the strongest possible cryptographic relationship between a real 
and an ideal system. In particular it covers arbitrary active attacks. Moreover, a compo- 
sition theorem exists in the underlying model [38], which states that one can securely 
replace the ideal library in larger systems with the real library, i.e., without destroying 
the already established simulatability relation. 

2.3 Detailed Description of the State of the Cryptographic Library 

We conclude this section with the rigorous definition of the state of the ideal crypto- 
graphic library. A rigorous definition of the commands of the ideal library used for 
modeling the Otway-Rees protocol and for capturing the slightly extended adversary 
capabilities can be found in the long version of this paper [4], 

The machine TH>/ has ports in,,.? and out,,! for inputs from and outputs to each 
user u £ H and for u = a, denoting the adversary. The notation follows the CSP con- 
vention, e.g., the cryptographic library obtains messages at in,,? that have been output 
at in u !. Besides the number n of users, the ideal cryptographic library is parameter- 
ized by a tuple L of length functions which are used to calculate the “length” of an 
abstract entry, corresponding to the length of the corresponding bitstring in the real im- 
plementation. Moreover, L contains bounds on the message lengths and the number of 
accepted inputs at each port. These bounds can be arbitrarily large, but have to be poly- 
nomially bounded in the security parameter. Using the notation of [8], the ideal cryp- 
tographic library is a system Sys c ^^ d that consists of several structures ({TH-^}, Su), 
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one for each value of the parameter TL. Each structure consists of a set of machines, 
here only containing the single machine TH>^, and a set Su '■= {in M ?, out M ! | u £ TL) 
denoting those ports of TH^ that the honest users connect to. Formally, we obtain 
Syfj^f 6 := {({TH-h}, S-h) \TL C {1, . . . , ?t}}. In the following, we omit the parame- 
ters n and L for simplicity 1 . 

The main data structure of TH^ is a database D. The entries of D are abstract rep- 
resentations of the data produced during a system run, together with the information on 
who knows these data. Each entry in D is of the form (recall the notation in Section 2.1) 

( ind , type , arg , hnd Ul , . . . , hnd Um , hnd 3 , len ) 

where TL = {iti, . . . , u m }. For each entry x £ D: 

- x.ind £ lAfVS, called index, consecutively numbers all entries in D. The set 
ZA fVS is isomorphic to N and is used to distinguish index arguments from others. 
The index is used as a primary key attribute of the database, i.e., we write D[i] for 
the selection D[ind = i\. 

- x.type € typeset identifies the type of x. 

- x.arg = (ai, 02 , • ■ • , cij ) is a possibly empty list of arguments. Many values a* are 
indices of other entries in D and thus in 1MDS. We sometimes distinguish them 
by a superscript “ind”. 

- x.hnd u £ HJVVS U {J.} for u £ TL U {a} are handles by which a user or adversary 
u knows this entry. x.hnd u = j means that u does not know this entry. The set 
HJVVS is yet another set isomorphic to N. We always use a superscript “hnd” for 
handles. 

- x.len £ No denotes the “length” of the entry; it is computed by applying the func- 
tions from L. 

Initially, D is empty. TH-^ has a counter size £ ZA fUS for the current size of D. For 
the handle attributes, it has counters curhnd u (current handle) initialized with 0. 

3 The Otway-Rees Protocol 

The Otway-Rees protocol [35] is a four-step protocol for establishing a shared secret 
encryption key between two users. The protocol relies on a distinguished trusted third 
party T, i.e., T ^ {1, . . . , ?i}, and it is assumed that every user u initially shares a secret 
key K ut with T. Expressed in the typical protocol notation, the Otway-Rees protocol 
works as follows 2 . 

1. u > v : AT, (N u , M, u, v) Kut 

2. v -+ T : M, (N u , M, u, v) Kut , {N V ,M, u, v) Kvt 
3- T — > v : M, (N u , K uv ) Kut , (N Vl K uv ) Kvt 

4. v -> u : M, (N u , K uv ) Kut . 

1 Formally, these parameters are thus also parameters of the ideal Otway-Rees system 5'r/s 0R ’ ld 
that we introduce in Section 3.2. 

2 For simplicity, we omit the explicit inclusion of u and v in the unencrypted part of the first and 
second message since the cryptographic library already provides the identity of the (claimed) 
sender of a message, which is sufficient for our purpose. 
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3.1 Capturing Distributed Keys in the Abstract Library 

In order to capture that keys shared between users and the trusted third party have 
already been generated and distributed, we assume that suitable entries for the keys 
already exist in the database. We denote the handle of u to the secret key shared with 
v, where either u € {1, . . . , n} and v = T or vice versa, as skse h ^ v . More formally, 
we start with an initially empty database D, and for each user u € TL two entries of the 
following form are added (the first one being a public-key identifier for the actual secret 
key as described below in more detail): 

( ind := pkse u , type := pkse, arg := (), len := 0); 3 

(ind := skse u , type := skse, arg := ( ind — 1), 

hnd u := skse^j, hndj := skse j n ^, len := skseJen*(/c)). 

Here pkse u and skse u are two consecutive natural numbers; skse Jen* (/c) denotes the 
abstract length of the secret key which will not matter in the following. 

The first entry has to be incorporated in order to reflect special capabilities that the 
adversary may have with respect to symmetric encryption schemes in the real world. 
For instance it must be possible for an adversary against the ideal library to check 
whether encryptions have been created with the same secret key since the definition of 
symmetric encryption schemes does not exclude this and it can hence happen in the real 
system. For public-key encryption, this was achieved in [8] by tagging ciphertexts with 
the corresponding public key so that the public keys can be compared. For symmetric 
encryption, this is not possible as no public key exists, hence this problem is solved by 
tagging abstract ciphertexts with an otherwise meaningless "public key” solely used as 
an identifier for the secret key. Note that the argument of a secret key points to its key 
identifier. In the following, public-key identifiers will not matter any further. 

We omit the details of how these entries for user u are added by a command 
gen_symenc_key, followed by a command send_s for sending the secret key over a se- 
cure channel. 

3.2 The Otway-Rees Protocol Using the Abstract Library 

We now model the Otway-Rees protocol in the framework of [38] and using the ideal 
cryptographic library. 

For each user u € {1, . . . , n} we define a machine M° R , called a protocol machine, 
which executes the protocol sketched above for participant identity u. It is connected to 
its user via ports KS_out„ !, KS_in „? (“KS” for “Key Sharing”) and to the cryptographic 
library via ports in u !, out M ?. We further model the trusted third party as a machine M j R . 
It does not connect to any users and is connected to the cryptographic library via ports 
inj!, outj?. The combination of the protocol machines M® R , the trusted third party 
M ° R , and the trusted host TH-^ is the ideal Otway-Rees system Sys 0R ’ ,d . It is shown in 
Figure 1; H and A model the arbitrary joint honest users and the adversary, respectively. 

3 Treating public -key identifiers as being of length 0 is a technicality in the proof of [7] and will 
not matter in the sequel. 
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Fig. 1. Overview of the Otway-Rees Ideal System. 

Using the notation of [8], we have Sys 0R ' ,d := {( Mu , Sh) \ 'H C {1, . . . , n}}, cf. 
the definition of the ideal cryptographic library in Section 2.3, where Mu := {TH-^ } U 
{M° R | u G H U {T}} and Su := {KS_in„?, KS_out„! | u € H}, i.e., for a given set 
H of honest users, only the protocol machines M° R with u Ghi are actually present in 
a protocol run. The others are subsumed in the adversary. 

The state of the protocol machine M° R consists of the bitstring u and a set Nonce u 
of pairs of the form (?i hnd , m hnd , v, j), where n hnd , m hnd are handles, v G {1, . . . , n}, 
and j G {1,2, 3, 4}. Intuitively, a pair (n hnd , r?i hnd , v, j) states that M° R generated the 
handle n hnd in the y-tli step of the protocol in a session run with v and session identifier 
TO hnd . The set Nonce u is initially empty. The trusted third party Mj R maintains an 
initially empty set SIDj to store already processed session IDs. 

We now define how the protocol machine M® R evaluates inputs. They either come 
from user u at port KS_in u ? or from TH u at port out,,?. The behavior of M° R in both 
cases is described in Algorithm 1 and 3 respectively, which we will describe below. 
The trusted third party M ° R only receives inputs from the cryptographic library, and its 
behavior is described in Algorithm 2. We refer to Step i of Algorithm j as Step j.i. All 
three algorithms should immediately abort if a command to the cryptographic library 
does not yield the desired result, e.g., if a decryption requests fails. For readability we 
omit these abort checks in the algorithm descriptions; instead we impose the following 
convention on all three algorithms. 

Convention 1 For all w G {1, . . . ,n} U { T} the following holds. If M° R enters a 
command at port in^! and receives { at port outu,? as the immediate answer of the 
cryptographic library, then M® R aborts the execution of the current algorithm, except 
if the command was of the form I ist_proj or send _i. 

Protocol start. The user of the protocol machine M° R can start a new protocol with user 
v G {1, . . . , n} \ {it} by inputting (new_prot, Otway _Rees, v) at port KS_in u ?. Our se- 
curity proof holds for all adversaries and all honest users, i.e., especially those that start 
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Algorithm 1 Evaluation of Inputs from the User (Protocol Start). 
Input: (new.prot, Otway_Rees, v) at KSJn„? with v £ {1, . . . , n} \ {«}. 
1 : n dnd gen_nonce(). 

2: ID hnd +- gen_nonce(). 

3: Nonce u := Nonce u U {(n dnd , ID hnd , v, 1)}. 

4: rt hnd <— store(w). 

5: u hnd 4 - store(u). 

6 : (J nd list(n dnd , /D hnd , u hnd , u hnd ). 

7: ci nd sym.encrypt(sfese^,Zi nd ). 

8 : m h i nd <- list(7Z5 hnd , c5 nd ). 

9: send _i(u, mi nd ). 



protocols with the adversary (respectively a malicious user) in parallel with protocols 
with honest users. Upon such an input, M° R builds up the term corresponding to the 
first protocol message using the ideal cryptographic library according to Algorithm 1 . 
The command gen_nonce generates the ideal nonce as well as the session identifier. 
M° R stores the resulting handles n^ nd and m hnd in Nonce u for future comparison to- 
gether with the identity of v and an indicator that these handles were generated in the 
first step of the protocol. The command store inputs arbitrary application data into the 
cryptographic library, here the user identities u and v. The command list forms a list 
and sym_encrypt is symmetric encryption. The final command sendJ means that M° R 
sends the resulting term to v over an insecure channel. The effect is that the adversary 
obtains a handle to the term and can decide what to do with it (such as forwarding it to 

M? R ). 

Evaluation of network inputs for protocol machines. The behavior of the protocol ma- 
chine M° R upon receiving an input from the cryptographic library at port out,,? (cor- 
responding to a message that arrives over the network) is defined similarly in Algo- 
rithm 3. By construction of THyy, such an input is always of the form (v, u, i, m hnd ) 
where m hnd is a handle to a list. To increase readability, and to clarify the connection 
between the algorithmic description and the usual protocol notation, we augment the 
algorithm with explanatory comments at its right-hand side to depict which handle cor- 
responds to which Dolev-Yao term. We further use the naming convention that ingoing 
and outgoing messages are labeled m, where outgoing messages have an additional 
subscript corresponding to the protocol step. Encryptions are labeled c, the encrypted 
lists are labeled l, both with suitable sub- and superscripts. 

M° R first determines the session identifier and aborts if it is not of type nonce. M° R 
then checks if the obtained message could correspond to the first, third, or fourth step of 
the protocol. (Recall that the second step is only performed by T.) This is implemented 
by looking up the session identifier in the set Nonce u . After that, M° R checks if the 
obtained message is indeed a suitably constructed message for the particular step and 
the particular session ID by exploiting the contents of Nonce u . If so, M° R constructs a 
message according to the protocol description, sends it to the intended recipient, updates 
the set Nonce u , and possibly signals to its user that a key has been successfully shared 
with another user. 
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Algorithm 2 Behavior of the Trusted Third Party. 



Input: (v. T. i, m hnd ) at out T ? with v 6 {1, . . . , n}. 

1: ID hnd <- list_proj(m hnd , 1). {ID hnd « M} 

2 : type 1 <— get_type(/I9 hnd ). 

3: c' 3 > <— list_proj(m hnd , 3). {4 3 - 1 « {N v , M, u, v}x vt } 

4: Z (3) <— sym_decrypt(sfcsex" d , c® ). {Z® « {N v , M, it, i<}} 

5: Vi" 6 <— list_proj(Z < ' 3 - ) , i) for i = 1,2, 3, 4. 

6 : j/i <— retrieve (j/i nd ) for i = 3, 4. 

7: if {ID hnd € S7Z?t) V (tape, ^ nonce) V (i/S" d ^ ID hnd ) V (j, 3 0 {1, . . . , n} \ M) V (t/ 4 ^ 

v) then 
8 : Abort 

9: end if 



10: SID t '■= SIDj U {/79 hnd }. 

11: c (2) <— list_proj(m hnd ,2). {c (2) « {N u , M, u, v} Kut } 

12’ /( 2 ) hnd ■ ' ’ h"rl ^hnd, r,f03 hnd 

hnd 



— sym_decrypt(s/csej" y3 , c 
13: x n i na <— list_proj(^ 2 l , i) for i = 1,2, 3, 4. 

14: type 2 <— get_type(x5" d ). 

15: <— retrieve(*i nd ) for* = 3,4. 

16: if {type 2 f nonce) V ( x 2 nd f y 2 nd ) V (*3 f yf) V (*4 3/4) then 

17: Abort 

18: end if 

19: sfcse hnd <— gen_symenc_key(). 



{l (2)hnd &{N u ,M,u,v}} 



20 : l 



(2) h 



(2) h 



21: c 3 

/oyhnd 

22 : 4 

„(3) hnd 



23: 4' 

24: mf d <- list(/T> 
25: send _i(u, m 3 nd ). 



Iist(x h ! nd , sfcse h 
sym_encrypt(sfcsej nd 3 , Z 3 
list(y 1 hnd ,sfcse hnd ) 

sym_encrypt(sfcse T „, i 3 
hnd „(2) hnd (3) hnd 



{skse hni « J£T„„} 

/r\\ hnd 

{/r «{AZ U ,7T U „}} 



(2) h 



hnd ^(3) ' 



/o\ hnd 

(4 2) ^{N u ,K uv } Kut } 



{<=; 



(4 

(3) hnd 



» {N V ,K UV }} 

{AT; , Kuv\lC v t } 



,4 dJ )• 



{m h 3 nd « M, {N u , K uv } Kut ,{N V , K uv } Kvt } 



Behavior of the trusted third party. The behavior of M° R upon receiving an input 
( v , T, i, m hnd ) from the cryptographic library at port outj? is defined similarly in Al- 
gorithm 2. We omit an informal description. 

3.3 On Polynomial Runtime 

In order to use existing composition results of the underlying model, the protocol ma- 
chines M2 r and M ° R must be polynomial-time. Similar to the cryptographic library, 
we define that each of these machines maintains explicit polynomial bounds on the 
message lengths and the number of inputs accepted at each port. 

4 The Security Property 

In the following, we formalize the security property of the ideal Otway-Rees protocol. 
The property consists of a secrecy property and a consistency property. The secrecy 







A Cryptographically Sound Dolev-Yao Style Security Proof 



99 



Algorithm 3 Evaluation of Inputs from TH u (Network Inputs). 



Input: ( v , u, i, m hnd ) at out„? with v € {1, . . . , n} \ {u}. 

1 : ID hnd «- list_proj(m hnd , 1 ). {ID hnd « M} 

2: type 1 <— get_type(/i9 hnd ). 

3: if type 1 y^ nonce then 
4: Abort 

5: end if 

6: if v ^TA V), n hnd : (n hnd , ID hni ,v,j) ^ Nonce u then {First Message is input} 

7: c (2 > <— list_proj(m hnd , 2). {c^ & (N v , M,v,u)ic vt } 

8: n dnd <— gen_nonce(). 

9: Nonce u := Nonceu U {(n dnd , ID hnd , v, 2)}. 

10: u hnd <— store(u). 

11: u hnd <- store (v). 



4 3) list(n dnd ,/D hnd , u hnd ,u hnd ). (4 3) &N u ,M,v,u} 

4 <- sym_encrypt(sfcse d }{-,4 ). {4 ~ { N n, M, v, u ) Kut } 

m d " d - list(/D hnd , C ( 2 ) hnd ,4 3)hnd ). {tti 2 nd ~ M, {N v ,M,v,u)K vt , (N u ,M,v,u)K ut } 

send.i(T ,m^ nd ). 

else if u = T then {Third Message is input} 

c (2) hnd <_ |ist_proj(m hnd , 2). { c ( 2 ) hnd ~ (N v ,K uv ) Kvt } 

c (3) hnd |i s t_proj(m hnd ,3). | c (3) hnd ~ (N u , K uv ) Kut } 

l ( 3) h " d <— sym_decrypt(sfcse d " d ,c (3)h " d ). {/(3) hnd w A^ U ,7T U „} 

y{ nd <— list_proj(^ 3 - ) ,i) fori = 1,2. 

type 2 *- get_type(i/5" d ). 

if (fl\w € {1, . . . , n} \ {rt} : (j/l' nd , ID h " d , w, 2) € Nonce u ) V ( type 2 y^ skse) then 
Abort 

end if 

Nonce u := (Nonceu \ {(y^ , ID hnd ,w,2)}) U {(y^ , ID h " d ,w,3)}. 

mT <- list(/D hnd ,c (2)hnd ). {mT » M, {N v ,K uv } Kvt } 

send_i(tn, m!j nd ). 

Output (ok, Otway.Rees, w, ID h " d ,y^' d ) at KS_out„!. 
else if v y^ T A 3!n hnd : (n hnd , ID hnd ,v, 1) then {Fourth Message is input} 

c ( 2 ) hnd |i s t_proj(m hnd , 2). { c (2) hnd ~ {N u ,K uv } Kut } 

l^ hnd - sym.decrypt (skse^c^). {I™** « {N U ,K UV }} 

* dnd <— list_proj(7 < - 2 - )hnd , *) for i = 1,2. 

type 3 «- get.type(a; 2 nd )- 
if *i nd y^ n hnd V type 3 y^ skse then 
Abort 

end if 

Nonceu := (Mmce« \ {(x^ 6 JD hnd ,v, 1)}) U {(a:i nd , 7Z9 hnd , v, 4)}. 

Output (ok, Otway.Rees, v, ID hnd ,x 2 nd ) at KS_out„!. 
else 
Abort 

end if 



{c (2) &{N U ,K UV } Kut } 
{l( 2 > h " d » {Nu,Kuv}} 
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Vw, t< £ 7f , Vii , £ N : # For all honest users u and v, 

( ti : KS_out„!(ok, Otway.Rees, v, ID hnd , skse ! ^' d ) # if u has established a shared key with v 

# then 

t 2 : D[hnd u = skseif ].hnd 3 = 1) # the adversary never learns this key 

Fig. 2. The Secrecy Property Req Sec . 



\/u,v £ H,\/ti,t 2 £ N: 

ti : KS_out„!(ok, Otway.Rees , v, ID h f d , skse^) A 
t 2 : KS_out„!(ok, Otway_Rees, w, ID h v nd , skse h v nd ) A 
ti : D[hnd u = ID h u nd } = t 2 : D[hnd v = ID h v nd } 

=> (u = w yy 

t\ : D[hnd u = sfcse^ nd ] = t 2 : D[hnd v = sfcse dnd ]) 



# For all honest users u and v, 

# if u has established a key with v 

# and v has established a key with w 

# and the sessions are equal 

# then u is equal to w if and only if 

# both keys are equal. 



Fig. 3. The Consistency Property Req Cons . 



property states that if two honest users successfully terminate a protocol session and 
then share a key, the adversary will never learn this key, which captures the confiden- 
tiality aspects of the protocol. The consistency property states that if two honest users 
establish a session key then both need to have a consistent view of who the peers to the 
session are, i.e., if an honest user u establishes a key with v, and v establishes the same 
key with user w, then u has to equal w. Moreover, we incorporate the correctness of 
the protocol into the consistency property, i.e., if the aforementioned outputs occur and 
u = w holds, then both parties have obtained the same key 4 . In the following defini- 
tions, we write t : D to denote the contents of database D at time t, i.e., at the t - th step 
of the considered trace, and t : plm and t : p\m to denote that message to occurs at 
input port respectively output port p at time t. 

The secrecy property Req Sec is formally captured as follows: If an output 
(ok, Otway_Rees, v, ID bnd , sfcse^ nd ) occurs at KS-Outt,! at an arbitrary time t\, then 
the key corresponding to skse^ d never gets an adversary handle, i.e., : D[hnd u = 

skse^ d ].hnd a = | for all t 2 . Figure 2 contains the formal definition of Req Sec . 

The consistency property Req Cons is formally captured as follows: Assume that out- 
puts (ok, Otway _Rees, v, ID hdd , sfcse(( nd ) and (ok, Otway _Rees, w, ID h v nd , sfcse dnd ) oc- 
cur at KS_out u ! respectively at KS_outJ at arbitrary times t\ and t 2 for honest users u 
and v such that the session identifiers are the same, i.e., t\ : D[hnd u = ID hdd ] = t 2 : 
D[hnd v — ID dnd ]. Then the handles sfcse, dnd and sfcse,„ nd point to the same entry in the 
database, i.e., t\ : D[hnd u = sfcse dnd ] = t 2 : D[hnd v = sfcse,„ nd ] if and only if u = w. 
The formal definition of Req Cons is given in Figure 3. 

4 A violation of the consistency property has been pointed out in [24] which arises since in their 
modeling the trusted third party creates multiple keys if it is repeatedly triggered with the same 
message. We explicitly excluded this in our definition of the trusted third party by storing the 
session IDs processed so far, cf. Step 7 and 10 in Algorithm 2. 
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The notion of a system Sys fulfilling a property Req essentially comes in two fla- 
vors [5]. Perfect fulfillment, Sys |= perf Req, means that the property holds with proba- 
bility one (over the probability spaces of runs, a well-defined notion from the underly- 
ing model [38] ) for all honest users and for all adversaries. Computational fulfillment, 
Sys |= poly Req, means that the property only holds for polynomially bounded users and 
adversaries, and only with negligible error probability. Perfect fulfillment implies com- 
putational fulfillment. The following theorem captures the security of the ideal Otway- 
Rees protocol. 

Theorem 1. (Security of the Otway-Rees Protocol based on the Ideal Cryptographic 
Library) Let Sys 0R ’ ld be the ideal Otway-Rees system defined in Section 3.2, and 
Req 5ec and Req < ~ ons the secrecy and consistency property of Figure 2 and 3. Then 
Sys 0R ' id b perf Req Sec A Req Cons . ' ' □ 

5 Proof in the Ideal Setting 

This section sketches the proof of Theorem 1, i.e., the proof of the Otway-Rees protocol 
using the ideal, deterministic cryptographic library. The complete proof can be found 
in the long version of this paper [4], The proof idea is the following: If an honest user 
u successfully terminates a session run with another honest user v, then we first show 
that the established key has been created before by the trusted third party. After that, 
we exploit that the trusted third party as well as all honest users may only send this key 
within an encryption generated with a key shared between u and T respectively v and 
T, and we conclude that the adversary hence never gets a handle to the key. This shows 
the secrecy property, and the consistency property can also be easily derived from this. 
The main challenge was to find suitable invariants on the state of the ideal Otway-Rees 
system. This is somewhat similar to formal proofs using the Dolev-Yao model, and the 
similarity supports our hope that the new, sound cryptographic library can be used in 
the place of the Dolev-Yao models in automated tools. 

The first invariants, correct nonce owner and unique nonce use, are easily proved 
and essentially state that handles a; hnd where (x hnd , •, •, •) is contained in a set Nonce u 
indeed point to entries of type nonce, and that no nonce is in two such sets. The next two 
invariants, nonce secrecy and nonce-list secrecy, deal with the secrecy of certain terms. 
They are mainly needed to prove the invariant correct list generation, which establishes 
who created certain terms. The last invariant, key secrecy, states that the adversary never 
learns keys created by the trusted third party for use between honest users. 

- Correct Nonce Owner. For all u £ Ti, and for all (x hnd , •,•,•) £ Nonce u , it holds 
D[hnd u = a: hnd ] ^ J, and D[hnd u = x hnd ].type = nonce. 

- Unique Nonce Use. For all u, v £ PL, all w, w' £ {1, . . . , n}, and all j < size: If 
(D[j].hnd u , -,w, ■) £ Nonce u and (D[j].hnd v , ■, w' , •) £ Nonce v , then ( u,w ) = 
{v,w'). 

Nonce secrecy states that the nonces exchanged between honest users u and v remain 
secret from all other users and from the adversary. For the formalization, note that the 
handles cc hnd to these nonces are contained as elements (a: hnd , in the set Nonce u . 
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The claim is that the other users and the adversary have no handles to such a nonce in 
the database D of TH 74 : 

- Nonce Secrecy. For all u,v £ H and for all j < size: If (D[j].hnd u , •, v, •) G 
Nonce u then D[j].hnd w ^ { implies w £ {w,tJ,T}. In particular, this means 
D[j].hnd a = J.. 

Similarly, the invariant nonce-list secrecy states that a list containing such a handle can 
only be known to u, v, and T. Further, it states that the identity fields in such lists 
are correct. Moreover, if such a list is an argument of another entry, then this entry is 
an encryption created with the secret key that either u or v share with T. (Formally 
this means that this entry is tagged with the corresponding public-key identifier as an 
abstract argument, cf. Section 3.1.) 

- Nonce-List Secrecy. For all u,v £ H and for all j < size with D[j].type = list: 
Let x- nd := D[j].arg[i] for i = 1, 2, 3, 4. If (D[x'i d ].hnd u , •, v, l ) £ Nonce u then 

a) D[j].hnd w ^ J, implies w £ {u, v, T} for l £ {1, 2, 3, 4}. 

b) If Z £ {1,4} and D[x™ d ].type = data, then D[x™ d ].arg = ( u ) and 

D{x™ d \.arg = (u). 

c) If l £ {2,3} and D[x™ d ].type = data, then D[x^ d ].arg = ( v ) and 

D{x™ d \.arg = ( u ). 

d) for l £ {1,2, 3, 4} and for all k < size it holds j £ D[k].arg only if 
D[k\.type = symenc and D[k\.arg[l\ £ {pkse u ,pkse v }. 

The invariant correct list owner states that certain protocol messages can only be con- 
structed by the “intended” users respectively by the trusted third party. 

- Correct List Owner. For all u,v £ H and for all j < size with D[j].type = list: 
Let x- nd := D[j).arg[i] for i = 1, 2 and x^u := D\x™ d ].hnd u . 

a) If (a: dnd , •, v, l) £ Nonce u and D[x' 2 d ].type ^ skse, then D\j] was created by 
M® R in Step 1.6 if l = 1 and in Step 3.12 if l = 2. 

b) If (x' l ^ d ,ID h " d ,v,l) £ Nonce u and D[x' 2 d ].type = skse, then D[j } was cre- 
ated by M ° R in Step 2.22 if l = 3 and in Step 2.20 if l = 4. Moreover, we have 
D[hnd u = ID^ A ] = D[hndj = /Dj nd ], where IDj nd denotes the handle that 
T obtained in Step 2.1 in the same execution. 

Finally, the invariant key secrecy states that a secret key entry that has been generated 
by the trusted third party to be shared between honest users u and v can only be known 
to u, v, and T. In particular, the adversary will never get a handle to it. This invariant is 
key for proving the secrecy and the consistency property of the Otway-Rees protocol. 

- Key Secrecy. For all u, v £ H and for all j < size with D[j].type = skse: 

If D[j] was created by My R in Step 2. 19 and, with the notation of Algorithm 2, we 
have that y 3 = u and 7/4 = v in the current execution of M ° R , then D[j].hnd w ^ { 
implies w £ {u, v, T}. 
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6 Proof of the Cryptographic Realization 

If Theorem 1 has been proven, it remains to show that the Otway-Rees protocol based 
on the real cryptographic library computationally fulfills corresponding secrecy and 
consistency requirements. Actually, different corresponding requirements can easily be 
derived from the proof in the ideal setting. Obviously, carrying over properties from the 
ideal to the real system relies crucially on the fact that the real cryptographic library is 
at least as secure as the ideal one. This has been established in [8,7], but only subject 
to the side condition that the surrounding protocol, i.e., the Otway-Rees protocol in our 
case, does not raise a so-called commitment problem. Establishing this side condition 
is crucial for using symmetric encryption in abstract, cryptographically sound proofs. 
We explain the commitment problem in the next section to illustrate the cryptographic 
issue underlying the commitment problem, and we exploit the invariants of Section 5 to 
show that the commitment problem does not occur for the Otway-Rees protocol. As our 
proof is the first Dolev-Yao-style, cryptographically sound proof of a protocol that uses 
symmetric encryption, our result also shows that the commitment problem, and hence 
also symmetric encryption, can be conveniently dealt with in cryptographically sound 
security proofs by means of the approach of [7], 

For technical reasons, one further has to ensure that the surrounding protocol does 
not create “encryption cycles” (such as encrypting a key with itself), which had to be 
required even for acquiring properties weaker than simulatability, cf. [3] for further 
discussions. This property is only a technical subtlety and clearly holds for the Otway- 
Rees protocol. 

6.1 Absence of the Commitment Problem for the Otway-Rees Protocol 

As the name suggests, a “commitment problem” in simulatability proofs captures a sit- 
uation where the simulator commits itself to a certain message and later has to change 
this commitment to allow for a correct simulation. In the case of symmetric encryption, 
the commitment problem occurs if the simulator learns in some abstract way that a ci- 
phertext was sent and hence has to construct an indistinguishable ciphertext, knowing 
neither the secret key nor the plaintext used for the corresponding ciphertext in the real 
world. To simulate the missing key, the simulator will create a new secret key, or rely 
on an arbitrary, fixed key if the encryption systems guarantees indistinguishable keys, 
see [3]. Instead of the unknown plaintext, the simulator will encrypt an arbitrary mes- 
sage of the correct length, relying on the indistinguishability of ciphertexts of different 
messages. So far, the simulation is fine. It even stays fine if the message becomes known 
later because secure encryption still guarantees that it is indistinguishable that the simu- 
lator’s ciphertext contains a wrong message. However, if the secret key becomes known 
later, the simulator runs into trouble, because, learning abstractly about this fact, it has 
to produce a suitable key that decrypts its ciphertext into the correct message. It can- 
not cheat with the message because it has to produce the correct behavior towards the 
honest users. This is typically not possible. 

The solution for this problem taken in [7] for the cryptographic library is to leave it 
to the surrounding protocol to guarantee that the commitment problem does not occur, 
i.e., the surrounding protocol must guarantee that keys are no longer sent in a form that 
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might make them known to the adversary once an honest participant has started using 
them. To exploit the simulatability results of [7], we hence have to prove this condition 
for the Otway-Rees protocol. Formally, we have to show that the following property 
NoComm does not occur: “If there exists an input from an honest user that causes a 
symmetric encryption to be generated such that the corresponding key is not known to 
the adversary, then future inputs may only cause this key to be sent within an encryption 
that cannot be decrypted by the adversary”. This event can be rigorously defined in the 
style of the secrecy and consistency property but we omit the rigorous definition due to 
space constraints and refer to [7] . The event NoCom m is equivalent to the event “if there 
exists an input from an honest user that causes a symmetric encryption to be generated 
such that the corresponding key is not known to the adversary, the adversary never gets 
a handle to this key” but NoComm has the advantage that it can easily be inferred from 
the abstract protocol description without presupposing knowledge about handles of the 
cryptographic library. For the Otway-Rees protocol the event NoComm can easily be 
verified by inspection of the abstract protocol description, and a detailed proof based on 
Algorithms 1-3 can also easily be performed by exploiting the invariants of Section 5. 

Lemma 1. (Absence of the Commitment Problem for the Otway-Rees Protocol) 
The ideal Otway-Rees system Sys OR ’ ,d perfectly fulfills the property NoComm, i.e., 
Sys 0R ' id |= perf NoComm. ' ' □ 

Proof. Note first that the secret key shared initially between a user and the trusted third 
party will never be sent by definition in case the user is honest, and it is already known 
to the adversary when it is first used in case of a dishonest user. The interesting cases 
are thus the keys generated by the trusted third party in the protocol sessions. 

Let j < size, D[j].type = skse such that D\j\ was created by Mj R in Step 2.19, 
where, with the notation of Algorithm 2, we have 7/3 = u and 7/4 = v for 7 / 3 , 7/4 £ 
{ 1 , . . . , n} . If u or 7 ; were dishonest, then the adversary would get a handle for D [j] after 
M ° R finishes its execution, i.e., in particular before D[j] has been used for encryption 
for the first time, since the adversary knows the keys shared between the dishonest users 
and the trusted third party. If both u and v are honest, key secrecy then immediately 
implies that t : D[j].hnd 3 = J. for all teN, which finishes the proof. ■ 



6.2 Proof of Secrecy and Consistency 

As the final step in the overall security proof, we show how to derive corresponding 
secrecy and consistency properties from the proofs in the ideal setting and the simulata- 
bility result of the underlying library. 

We show this only for secrecy and sketch the proof for consistency. Note that the 
secrecy property Req Sec specifically relies on the state of TH 44 , hence it cannot be used 
to capture the security of the real Otway-Rees system, where TH 44 is replaced with the 
secure implementation of the cryptographic library. The natural counterpart of Req Sec 
in the real system is to demand that the adversary never learns the key (now as an actual 
bitstring), which can be captured in various ways. One possibility that allows for a 
very convenient proof is to capture the property as a so-called integrity property in the 
sense of [5]. Integrity properties correspond to sets of traces at the in- and output ports 
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connecting the system to the honest users, i.e., properties that can be expressed solely 
via statements about events at the port set Su', in particular, integrity properties do not 
rely on the state of the underlying machine. Integrity properties are preserved under 
simulatability, i.e., they carry from the ideal to the real system without any additional 
work. Formally, the following preservation theorem has been established in [5], 

Theorem 2. ( Presen’ation of Integrity Properties ( Sketch ) ) Let two systems Sys v Sys 2 
be given such that Sys 1 is at least as secure as Sys 2 (written Sys 1 >P“ y Sys 2 ). Let 
Req be an integrity property for both Sys ± and Sys 2 , and let Sys 2 |= poly Req. Then 
also Sys ± |= poly Req. □ 

We can now easily rephrase the secrecy property Req Sec into an equivalent integrity 
property that is well-defined for both the ideal and the real Otway-Rees system by 
employing standard techniques, e.g., by assuming that once the adversary has learned 
the shared key, the adversary sends the key to an honest user. Formally, we may 
augment the behavior the protocol machine M° R so that if it receives a message 
(broken, skseff d ) from a dishonest sender, it outputs this message to its user u at 
port KS_out„!. The property Req Sec can then be rewritten by replacing the statement 
t'2 : D[hnd u = sksef' d ].hnd 3 = J. withf 2 : KS_out„!ra =>■ m (broken, skse'f' 6 ). 
We call the resulting integrity property Req . If we denote the ideal Otway-Rees sys- 
tem based on these augmented protocol machines by Sys ,0R "' d then we clearly have 
Sys 0R ' ,d |= perf Req Sec if and only if Sys' 0R "' d |= perf Req^\ since a user may only 
receive a message (broken, skse „) if the adversary already has a handle to sksef ld , 
and conversely if an adversary has a handle to sfcsej( nd it can create and send the mes- 
sage (broken, skse h f d ). This can easily be turned into a formal proof by inspection of 
the commands list and sendJ offered by the trusted host. The preservation theorem now 
immediately allows us to carry over the secrecy property to the real Otway-Rees system. 

Theorem 3. (Security of the Real Otway-Rees Protocol) Let Sys ,0R ' reai denote the 
Otway-Rees system based on the real cryptographic library and the protocol machines 
augmented for capturing the integrity property Reqf^v Then Sys ,OR ' reai |= poly Reqf^. 

□ 

Proof Let Sys cry ’ ,d and Sys cry ' real denote the ideal and the real cryptographic library 
from [8] augmented with symmetric encryption as introduced in [7], In [8,7] it has al- 
ready been shown that Sys cryjea 1 >££! y Sys cry,ld holds for suitable parameters in the 
ideal system, provided that neither the commitment problem nor encryption cycles oc- 
cur. We have shown both conditions in the previous section. Let Sys' 0R "' d denote the 
ideal Otway-Rees system based on the augmented protocol machines. Since Sys' 0R real 
is derived from Sys' 0R " ,d by replacing the ideal with the real cryptographic library, 
Sys' 0R ’ rea * > p e °^ y Sys' 0R " ,d follows from the composition theorem of [38]. We only 
have to show that the theorem’s preconditions are in fact fulfilled. This is straightfor- 
ward, since the machines M° R are polynomial-time (cf. Section 3.3). Now Theorem 1 
implies Sys OR, ' d |= poly Req Sec which yields Sys ,OR ' ,d ^= poly Req^\ ■ Since Req f e e a C | is an 
integrity property Theorem 2 yields Sys' 0R rea ' ^ poly Reqf^. m 

Similar to the secrecy property, the consistency property Req Cons specifically relies on 
the state of TH-^. The corresponding consistency property for the real Otway-Rees 
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system can be defined by requiring that both handles point to the same bitstring, i.e., by 
replacing t\ : D[hnd u = skse^ d ] = t 2 : D[hnd v = sfcse dnd with H : D u [hnd u = 
skse^ d ].word = t 2 '■ D v [hnd v = skse^ nd ].word for the databases D u and D v of the 
real library. We omit a formal proof that the real Otway-Rees system computationally 
fulfills this property; the proof can be established similar to the proof of the secrecy 
property where one additionally exploits that if the real Otway-Rees protocol is run with 
an arbitrary adversary and we have t\ : D[hnd u = sfcse dnd ] = t 2 ■ D[hnd v = sfcse,„ nd ] 
then there always exist an adversary against the ideal Otway-Rees protocol such that 
fi : D u [hnd u = skse^ d ].word = £2 : D v [hnd u = skse^ nd ].word, cf. [8,7]. 

6.3 Towards Stronger Properties 

To conclude, we sketch that also stronger properties can be derived for the real Otway- 
Rees protocol from Theorem 1 and the proof of the simulatability result of the crypto- 
graphic library, e.g., a stronger notion of secrecy; There does not exist a polynomial- 
time machine that is able to distinguish the adversary’s view in a correct protocol exe- 
cution from the adversary’s view in a protocol execution where all keys shared between 
honest users are replaced with a fixed message of equal length (which means that the 
adversary does not learn anything about these keys except for their lengths). It is easy to 
show that the real Otway-Rees protocol fulfills this property because one could other- 
wise exploit Theorem 1 to distinguish the ideal cryptographic library from the real one 
using standard techniques, which would yield a contradiction to the results of [8, 7], 
The proof idea is as follows: In the simulatability proof of the cryptographic library, 
the simulator simulates all keys for which no adversary handle exists with a fixed mes- 
sage since it does not know the appropriate key [7], Moreover, when run with the ideal 
system and the simulator, the adversary does not learn any information in the Shannon 
sense about those symmetric keys for which it does not have a handle [8,7], Hence 
Theorem 1 implies that these statements in particular hold for the secret keys shared 
between honest users. Now if an adversary Aqi s existed that violated the above property 
with not negligible advantage over pure guessing, we could define a distinguisher Dis 
for the ideal and real library by first triggering Aoi s as a black-box submachine with 
the obtained view and by then outputting the guess of Apis as a guess for distinguishing 
the ideal and the real library. It is easy to show that Dis provides a correct simulation 
for Aois and hence succeeds in distinguishing the ideal and the real library with not 
negligible probability. 

7 Conclusion 

We have proven the Otway-Rees protocol in the real cryptographic setting via a de- 
terministic, provably secure abstraction of a real cryptographic library. Together with 
composition and preservation theorems from the underlying model, this library allowed 
us to perform the actual proof effort in a deterministic setting corresponding to a slightly 
extended Dolev-Yao model. We hope that it paves the way for the actual use of auto- 
matic proof tools for this and many similar cryptographically faithful proofs of security 
protocols. 
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Abstract. The use of formal methods to verify security protocols with 
respect to secrecy and authentication has become standard practice. In 
contrast, the formalization of other security goals, such as privacy, has 
received less attention. Due to the increasing importance of privacy in 
the current society, formal methods will also become indispensable in 
this area. Therefore, we propose a formal definition of the notion of 
anonymity in presence of an observing intruder. We validate this def- 
inition by analyzing a well-known anonymity preserving protocol, viz. 
onion routing. 

1 Introduction 

Nowadays there is a growing concern about one’s privacy. The adoption of tech- 
niques like RFID and DR.M may have severe consequences for the privacy of the 
individual [8,6]. The widespread acceptance of electronic services, such as loca- 
tion based services, electronic tolling, loyalty schemes, may carry consequences 
on the user’s privacy. As ‘privacy’ is becoming more of an issue, there is an 
increasing need for analysis of systems in relation to privacy requirements. 

The so-called functional class in the Common Criteria (CC, [10]) distin- 
guishes between four aspects of privacy: anonymity, pseudonymity, unlinkabil- 
ity and unobservability. Anonymity, which is the topic of our current research, 
ensures that a subject may use a resource or service without disclosing its user 
identity. Pseudonymity ensures that a user may use a resource or service without 
disclosing its identity, but can still be accountable for that use. Unlinkability en- 
sures that a user may make multiple uses of resources or services without others 
being able to link these uses together. Unlinkability differs from pseudonymity 
in the sense that, although in pseudonymity the user is also not known, relations 
between different actions can be provided. Unobservability ensures that a user 
may use a resource or service without others, especially third parties, being able 
to observe that the resource or service is being used. 

Such informal definitions are essential to the understanding of the differ- 
ent notions of privacy, but will only allow to investigate a system informally. 
However, in contrast to other security properties, such as confidentiality and 
authentication (see e.g. [14,4]), privacy has hardly been studied from a formal 
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methods point of view (see e.g. [12,11,3] for more or less informal approaches 
to anonymity). It is our aim to provide an appropriate formal definition of 
anonymity and validate this definition by analyzing the well-known onion routing 
protocol. In [14] a start is made to give a formal description of anonymity. 

Our definition of anonymity is based on the above mentioned definition in the 
CC and on the definition of anonymity provided by Pfitzmann et al. [12], which 
reads “Anonymity is the state of being not identifiable within a set of subjects, 
the anonymity set.” This anonymity group forms the basis of our definition. We 
say that a user u' is in the anonymity group of user u, if for every behaviour of 
the system that can be attributed to it, there is another possible behaviour of 
the system that can be attributed to v ! , such that an observer or intruder cannot 
tell the difference between these two behaviours. This means that an intruder 
cannot tell the difference between u and any other user in its anonymity group. 

Onion routing was originally devised by Goldschlag, Reed, Syverson in [9, 17] 
as a solution for anonymous connections. Onion routing creates a layered data 
structure called an onion. As the data passes through each onion router along 
the way, one layer of encryption is removed according to the recipe contained 
in the onion. The Naval Research Lab has a test bed Onion Routing Network 
that is available for any one to use. While in operation, users in more than sixty 
countries initiated up to 1.5 million connections per month through the prototype 
system. This demand certainly shows an interest in the service. It also shows that 
it is feasible. Based on this success, a design for a second generation system was 
initiated [16]. 

Syverson et al. have performed an analysis of the second generation system 
for onion routing. In [16] different attacker models are considered, viz. single, 
multiple, roving and global adversary. A single and a multiple adversary point 
to a situation where only one core onion router, respectively, more core onion 
routers are compromised. In both cases the compromised onion routers are fixed. 
A roving adversary points to a situation where a fixed-bound size subset of core 
onion routers is compromised at any one time. At specific intervals, other core 
onion routers can become compromised or uncompromised. Syverson et al. rule 
out the global adversary (all core onion routers are compromised) as the onion 
routing infrastructure cannot realize any anonymity in that case. They compare 
the results with the protection provided by the Crowds model [13]. It is shown, 
that onion routing generally resists traffic analysis more effectively than any 
other published and deployed mechanisms for Internet communication. 

Diaz et al. [5] and also Serjantov and Danezis [15] propose an information 
theoretic approach to measure the level of anonymity of a system. In their model 
the attacker will carry out a probabilistic attack: after observing the system, an 
attacker may assign some probabilities to each sender as being the originator 
of a message. This can be based on information the system is leaking, message 
lengths, traffic analysis, etc. Subsequently, the entropy is used as a tool to cal- 
culate the degree of anonymity achieved by the users of a system towards a 
particular attacker. Their measurement method is applied to analyze the degree 
of anonymity of crowds and onion routing. 
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We provide a possibilistic analysis of the onion routing protocol in a process 
algebraic framework. We aim at determining the anonymity groups of part tak- 
ing users under different circumstances, such as conspiring routers. In order to 
appreciate the intricacies of the onion routing protocol, we have analyzed sev- 
eral weaker protocols too. In this paper we will only report on our findings with 
respect to a variation which we coined coconut routing. 

Our paper is structured as follows. In Section 2 we provide a formal definition 
of anonymity in a trace model. In Section 3 we explain an abstraction of the 
onion routing protocol and give its formal specification in process algebra. We 
also provide an alternative characterization which will show helpful in the formal 
analysis of Section 4. In Section 5 we discuss conclusions and future research. 

2 Formal Definitions 

Intruder capabilities. In this section we define the notion of anonymity in pres- 
ence of an eavesdropping intruder. In general, the intruder can overhear the 
communication, but can not interpret all the messages. Dependent on the set 
of keys known to the intruder, some behaviours of the system observed by the 
intruder can be distinguished while others can not. If the intruder can not, based 
on its eavesdropping capacities, distinguish between two users, these two users 
are in the same anonymity group. 

We fix a set of users U, a set of actions A, a set of traces T and a set of 
keys K-. The set of actions A is split up into a subset of observable actions Aobs 
and a set of invisible actions A nv - For our purposes, the set of traces T consists 
of all finite and infinite words of actions from A. 

The actions come equipped with some syntactic structure, the details of 
which do not matter here. We assume that the set A can be viewed as the 
collection of terms of some signature that includes an operation e, k i— > {e}k 
for an expression e and key k. Let K C 1C be a set of keys. A tagging function 
8 : A — > Ae, with 0 some fixed set of tags, maps actions in A, i.e. terms over the 
implicit signature, to tagged actions in Ae , i.e. terms over the implicit signature 
extended with the elements of 0 as new constants. The function 9 is assumed to 
be injective; the idea is to replace undecryptable subterms by some tag, such that 
equal subterms are identified with the same tag. More concretely, the mapping 
Ok'- A—* Ae has the property 0jc({e}fc) = {6>A'(e)}fc if the key k is in the set of 
keys K and #A:({e}fc) = (9({e}fc) if not. The mapping 9k extends naturally from 
actions to traces. 

We say that two traces fi, t 2 € T are K -equivalent, notation t\ ~k t- 2 , if, for 
some bijection /?: 0 — » 0, it holds that 0Ar(ti) = (0 o 9) K {t2j. The interpretation 
of t\ ~a: t -2 is that the traces t\ and t -2 are equal for what can be observed, 
possibly after decryption with the keys in K, and there is a global correspondence 
between the parts that can not be decrypted. Suppose we have the actions a = 
{ei }k, b = {e 2 }k and c = {e 3 } fe , and actions x = {e} fcl , y = {e} k2 and z = {e} ks - 
The tagging of traces is a means to express the capability of an intruder to 
distinguish, e.g., the 2-element traces a ■ b and c • c even if the intruder can not 
decrypt any of the terms . Likewise, we have x ■ y ^ K z ■ z irrespective of which 
of the keys k \ , k 2 and are known. 
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The above notion of tagging and renaming captures that not all information 
carried by a trace can be distinguished by the intruder. This even stretches a 
little further: some actions will not be visible at all. Although we assume, that 
the intruder can overhear all network activity, the internal activity of principals 
can not be observed. Therefore, we have means to restrict a trace t over A to 
a trace over A 0 bs of observable actions. The mapping obs: T — > T is such that 
obs(e) = e, obs(a ■ t) = a ■ obs(t) if a € A 0 bs and obs(a ■ t) = obs(t) if not. We 
use the notation t\ <2 iff obs(t±) ~k obsfo)- When the set of keys K is 
clear from the context, we simply write t\ ~ 0 bs t' 2 - For the sake of simplicity, 
we treat K as a constant set of keys. This will suffice for the treatment of the 
onion routing protocol, where the intruder does not learn any new keys during 
operation. In general, however, a privacy protocol may leak encryption keys, 
requiring a dynamic modeling of K. This extension is rather straightforward 
and will not influence the main line of reasoning. Therefore, we will ignore this 
possibility. 

User attribution. Next, we address the notion of attributing a trace to a user. As 
a trace can contain interaction of various sessions of many principals in different 
roles, we introduce a mechanism to focus on a particular action of a trace. In 
concrete situations we fix a so-called attribution function for each role that is 
of interest. Such an attribution function a: T x N — > U returns the user in 
the particular role, involved in the interaction corresponding to the n-th action 
t[n] of the trace t. For example, in a four step key agreement protocol we can 
distinguish between the roles of initiator, responder and server. A trace t of a 
system with many users, acting both as initiator and responder, contains many 
sessions. There may be some communication at position n of t corresponding to 
the third step of the protocol. The attribution function for initiator then returns 
the initiator of the particular protocol session; the attribution function for the 
responder returns the responder of the particular session. 

The attribution function «(•,•) does not take the intruder into account. 
In general, the intruder considers a particular occurrence of an action in a 
trace or part of a trace and tries to identify the user or users involved in 
this. However, the selection by the intruder of the action of interest is based 
on observable actions only. If two traces are observationally the same to the 
intruder, its analysis is focused on the same action. The traces generally dif- 
fer in the number and/or position of invisible actions, so that the particu- 
lar action can be at different positions in the two traces. Therefore, we in- 
troduce the partial mapping obscnt : T x N i N, that returns for a posi- 
tion n in a trace t the corresponding position obscnt(t, n) in the reduced trace, 
i.e. obscnt(t,0) = 0, obscnt{a ■ t,n + 1) = obscnt(t,n ) + 1 if a € A 0 bs and 
obscnt{a -t,n + 1) = obscnt(t, n) + 1 if a ^ -4 0 bs, and obscnt(e, n + 1) is unde- 
fined. 

Selection functions. Next, we introduce selection functions, that take only ob- 
servables and relative positions of observables into account. A selection function 
reflects a specific preference of the intruder. Formally, a mapping a: T — > N is 
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called a selection function, with respect to a set of keys K , if (i) aft) £ dom(t), 
(ii) £ *4 0 bs, and (iii) iffi t 2 then obscnt(ti,a(ti)) = obscntft 2 , cr(t 2 )). 

Thus, if traces t\ and t 2 are the same to the intruder that knows about the keys 
in K, then the selection function cr points in t\ and in t 2 to an observable action 
at corresponding positions. Given the choice of positions governed by a selection 
function er, the attribution a a of users to a trace, induced by the selection func- 
tion er, is then simply defined as a a (t) = a(t, a(t)). Note that, in general, we do 
not have a(t±, cr(fi)) = a(t 2 , <j(t 2 )). 

Below, we have occasion to further restrict the selection function that we 
consider. Intuitively, it is clear that an intruder observing a system from its very 
first startup is more powerful, than an intruder viewing the same system from 
some moment in time onwards. Typically, we assume the selection functions 
to stem from a class £ of selection functions that point at positions in traces 
beyond some initialization phase. Likewise, we only want to consider the traces 
of the system under consideration. Thus, for a given system S with the set of 
traces Tr(S) as its behaviour, we restrict the choice of traces to Tr(S) or a 
subset thereof (for example, fair traces). Thus, a selection function a will have 
functionality a: Tr(S ) — * IA rather than cr: T —> U. 

Anonymity. With this in mind, we are ready for the definition of an anonymity 
group of a user. For a user u, its anonymity group AG(u) consists of all users u! 
that can not be distinguished from u by the intruder: u' is in the anonymity 
group of u with respect to an attribution a and selection function cr, if for any 
trace t that is attributed to u, i.e. aft, aft)) = u, we can find an observationally 
equivalent trace t' , i.e. t' ~ 0 bs t, that is attributed to v! . So, given the observable 
behavior one can not tell whether u or any other user v! in its anonymity group 
was involved. 

Definition 1. Let S be a system, A 0 bs C A a set of observable actions, K C 1C 
a set of keys, £ a class of selection functions and a an attribution function. For 
a user u £ U, its anonymity group AG(u) is given by 

AG(u) = {u' £U | Vo- £ £Wt £ Tr(S) 3 1' £ Tr(S) : 

a<r(t) = u -» av(t') = u' At ~ obs t' }. 

Clearly, the size of AG(u) is an indication for the degree of anonymity user u has. 
Furthermore, note that, in general, we do not have v € AG(u) <=> u £ AG(v), 
so the set of anonymity groups does not form a partition of the set of users. In 
Section 4, we will exploit our definition of anonymity in a formal analysis of the 
onion routing protocol. 

3 An Example: Onion Routing 

We discuss the onion routing protocol for illustrating the formalization of pri- 
vacy. After an informal explanation of the onion routing protocol, we provide 
a formal specification in ACP-style process algebra. We will also briefly discuss 
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a weaker security protocol, which we call coconut routing. Next, we present an 
alternative characterization of the onion routing protocol which helps in proving 
our anonymity results in Section 4. 

3.1 The Onion Routing Protocol 

The onion routing protocol as devised by Syverson et al. [17] is a constellation 
of measures to establish anonymous connections between two agents. It is our 
intention to formally describe and analyze the smallest protocol based on the 
onion routing principle that still exhibits interesting privacy properties. Starting 
point is a network of routers. We assume that the network forms a connected 
graph, which means that there is a path from every router to every other router. 
Such a path may be comprised of a series of intermediate routers. 

To every router we associate a collection of users. Connections between a user 
and its router are typically realized within a local network and will be considered 
secure, while connections between two routers are not controlled by either router 
and may belong to a global communication infrastructure such as the Internet. 
It is realistic to assume that remote routers and connections between routers 
may be compromised. Given this possibly hostile environment, the purpose of 
the onion routing protocol is to enable a user S to send a message to a user R 
without revealing the identity of S nor that of R. 

In order to establish the above requirement, we assume the existence of a public 
key infrastructure for the routers. This means that every router (whether com- 
promised or not) has a public/private key pair and that all routers know the 
public keys of all other routers. The Message Sequence Chart of Figure 1 ex- 
plains how the protocol operates. Suppose that user S intends to send message 
m to user R. For S this simply means that it uses its router OS as a proxy to 
perform this task. Therefore, it sends message m and recipient R to OS. Next, 
its router determines a path leading to the router to which R belongs and packs 
the message in such a way that every node in the path can only deduce the next 
node in the path, but nothing else. Suppose the chosen path is OS\ Ol; 02; OR, 
then the message sent to Ol is Ol, {02, {OR, {R, m} pk (0R)}pk(02)} P k(0i), be. 
a header identifying the intended intermediate recipient Ol and a payload of 
some content encrypted with the public key of Ol. Since we expect that Ol only 
knows its own secret key, Ol can only peel off the outermost layer of this compos- 
ite message. Therefore, Ol obtains message 02, {OR, {R, m} p k(0R.)}pk(02) and 
learns that this message has to be passed through to router 02. Likewise, 02 
and OR peel off their layer from the onion and, finally, OR knows that it has to 
send message to to its user R. 

The reason why this protocol establishes privacy of the sender and receiver of 
a message lies in the fact that the messages leaving a router cannot be related to 
the messages that have entered a router. This unlinkability of incoming and out- 
going messages requires that an attacker cannot trace an outgoing message back 
to an incoming message by simply trying the public keys of all routers. There- 
fore, we require randomized encryption, which means that the same message 
encrypted with the same key every time yields a different enciphered message. 
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Fig. 1 . Sample run of the onion routing protocol 



This can be established e.g. by salting the input. Which conditions exactly guar- 
antee which kind of privacy is subject of the formal analysis later in this paper. 

3.2 Coconut Routing 

The onion routing protocol works because the messages are packed in a series of 
shells, which are subsequently peeled off by the conveying routers. It is interesting 
to study weaker variants of this protocol and see how onion routing solves the 
weaknesses. To this end, we introduce a variation on onion routing, which we will 
call coconut routing. We will only conduct an informal analysis of this weaker 
protocol. A thorough analysis follows along the same steps as the analysis of the 
onion routing protocol above. 

In the coconut routing protocol, the original message and the path are en- 
crypted with a symmetric cryptographic key. This key is a secret shared by all 
routers. Figure 2 shows a sample run of the coconut routing protocol and suffices 
to understand its operation. 



3.3 Formal Specification of Onion Routing 

The above describes onion routing informally. Next, we define the onion routing 
protocol in ACP-style process algebra (see, e.g., [1,7,2]). We assume that the 
reader is familiar with the basics of this particular branch of process algebra. 
Nevertheless, our approach is independent of the chosen framework as long as it 
supports reasoning at a trace level. 

Fix a set 1Z of routers, a set U of user, a set M of messages and a set K, of 
keys. The set Path of paths is defined by Path = 1Z* . We use r to range over 1Z, 
u and v to range over U , and m and p to range over A4 and Path, respectively. 
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Fig. 2. Sample run of the coconut routing protocol 



Fix a router assignment p:U —>1Z that associates a router p(u) with each user. 
We use site(r) and site(u) to denote the set of users u' such that p(v!) = r and 
p{u') = p(u), respectively. We assume to be given a mapping pk: 1Z — > K, to 
retrieve a public key pk{r) of a router r. Furthermore, the topology of the router 
network is reflected by an undirected connected graph A f having the set 1Z as its 
nodes. The set A f(r), the neighborhood of the router r, consists of all routers r' 
for which an edge connecting r and r' exists in the graph A f. 

We use the notation path(r, q) for the collection of those non-empty paths 
r\ ■ r 2 ■ ■ ■ r n such that Af(r, r i), A/ r (rj, rj+i), for 1 < i < n, and r n = q. Onions 
are the basic objects that will be passed around in the onion routing protocol 
below. The set of onions (A, ranged over by o, is inductively given by 

vGUAmGM => (v,m) € O (1) 

oGOArGTZ => (r, {o} pk(r) ) G O. (2) 

The collection 0± = OU{l} extends O with the dummy onion _L. For a path p 
and onion o, the function pack: Path x O — > O is given by 

pack(s, o) = o (3) 

pack(r ■ p,o) = (r, {pack(p, 6) } pJf(r) ) . (4) 

The function pack wraps the onion o with the public keys of the routers along the 
path p. In particular, for a path p = n • r 2 • • • r n , user v and plaintext to, we have 
pack(p, ( v , to)) = (n, {(r 2 , {• • • (r„, {{v, m)} pk{rn) ) . . ■} pk (r 2 ))} P k( ri )) ■ Conversely, 
the function peel: O — > 0\_ is the inverse of packing, i.e., peel(o) = o' if o = 
(r, {o'lpijr)) for some router r and delivers _L otherwise. 

Node-oriented, system description The basic building blocks in an onion routing 
system are the routers. We consider the process Node r , with the subscript r 
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denoting the particular router, to come equipped with a buffer B that contains 
the onions that are still to be delivered. In general, B £ Mul(0) is a multiset of 
onions. Possible actions for Node r are taken from the alphabet 

A r = { input(u , v, m), reader' , r, o),send(r, r" , o ), output(v, m) 

| u £ site(r),v €U,m £ M,Af(r', r),N{r, r"),o £ O }. 

We fix the set of actions A to A = U{ A r \ r £ TZ }. A router r with buffer B 
can either 

— input, from one of its users u, a new message m with destination v that can 
subsequently be forwarded along a path p from r to the router of v, 

— store an onion o that is read from one of its neighboring router r' after 
peeling it off, 

— take an onion (r" , {o , } p j c ( r )) from the buffer for sending to another router r " , 
or 

— deliver an onion ( v,m ) in the buffer to the user v. 

Using the operators + and ^ to denote choice and • for sequential composition, 
we obtain the following recursive definition of the behaviour of a node: 

Node r (B) = 

T,ue S ite(r),v&U,meM ^put(u, V, m) 

■ T,pepa.th(r,p(v )) N °de r (B U {pack(p, v,m)}) 

+ Eatw ,r),oeo read ( r '- u o) ■ Node r (B U {peel(o)}) 

+ E 0 =<r",{o"} pit(r „ ) )es send r>r " (o) • Node r (B \ {o}) 

+ Emmies output(v,m) ■ Node r (B \{{v,m)}). 

The communication function matches read and sent events, i.e. 

read(r,r',o) \ send(r,r',o) = comm(r,r',o) 

for any two routers r, r' and onion o. The set H of encapsulated or forbidden 
actions is given by 

H = { rea d(r, r' , o),send(r, r' , o) \ r, r' £ TZ, o £ O }. 

Finally, using Oh to encapsulate partial communications and || to denote parallel 
composition, the onion routing network ORN is defined by 

ORN= (d H (Wren Node r m) ■ 

Thus, the onion routing network consist of a number of routers, each with a 
local buffer. The system starts with all routers having an empty buffer, and 
evolves by routers getting from and delivering to their clients and exchanging 
onions with other routers. Because of the choice of the communication function 
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and encapsulation, the system ORN does not exhibit unmatched read and send 
actions, but input , output and comm actions only. 

A technical issue concerns the synchronization of read and send actions. In 
general, the environment can influence a non-deterministic choice over the index 
set path(r, p(y )) for a user v and message m, by offering only a selection of reads 
that can match the send action that executes to the sending of pack(p, v, to) to 
the first router along the path. This way an intruder could get control over the 
choice of the path connecting r and v (and, e.g., direct it via some compromised 
router) . To prevent this, the usual trick is to insert a so-called silent action, skip 
say, just in front of Node r (B + {pack(p, v, to)}) in the first summand. This would 
clutter up the further analysis dramatically, with a distinction between nodes 
that have or have not taken the skip- step after an input and path-selection. As we 
consider in this paper mainly an intruder model with eavesdropping capabilities 
only, we suppress this technicality in the remainder. 

Path-oriented system description As alternative to the above node-oriented de- 
scription of the network as a collection of nodes, one can follow an activity-driven 
approach. The node-oriented description is not very appealing from a global 
point of view. It is hard to identify the flow triggered by an intent of sending a 
message to from a user u to a user v over the network. Therefore, we view an 
onion routing network as a parallel composition of the process of the sending of a 
message by an initiating user, the passage of the associated onion along a certain 
path of routers, and the receipt of the message by the designated user. In order 
to capture the above intuition, we define processes Comm(r,p,o ), for a router r, 
path p and an onion o, to reflect that the onion o resides in packed form at the 
router r and still has to travel along the path p. Also, for usage in Section 4, 
we define processes OR(u,v,m,p) representing the sending of message to from 
user u to v along the path p. Thus 

OR(u,v,m,p) = input^u, v, to) • Comm(r,p , (■ v,m )) • output(v,m) 
Comm(r , e, o) = e if o = (v, in) and v € site(r) 

Comm(r,r' ■ p,o ) = comm(r,r' ,(r' ,pack(r' • p,o ))) • Comm(r' ,p,o) 

if r' e J\f(r), Comm(r' ,p, o) ^ 5 
Comm(r , p,o) = 5 otherwise 

where, in the right-hand side, e and 6 are the successfully terminating process and 
unsuccessfully terminating or deadlocking process, respectively. The resulting 
system ORN' is then given by 

ORN — X/reK,«esite(r),t)GK,meA / ( ) pepatii(r,(9(v)) ^ n P u t(u, V, TO.)- 

(ORN' || Comm(r,p, (v,m)) ■ output(v,m)) . 

Note the recurrence of ORN' at the right-hand side. After the displayed in- 
put action, the system continues with the processing of the input in compo- 
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nent Comm(r,p, (v,m)), but is also ready to initiate the sending of new mes- 
sages. 

Next, we would like to have that the node-oriented and patlr-oriented description 
of onion routing coincide. The former is closest to the informal description; for 
the latter it is immediate what its traces look like. 

Theorem 1. The systems ORN and ORN 1 have the same traces. □ 

For a proof of Theorem 1, one introduces some auxiliary concepts, viz. that of a 
distributed buffer state /3 and of a global communication state 7. Using these one 
shows, for some suitable relation C, that C(/3,7) implies that the generalized 
systems ORN((3 ) and ORN '(7) have the same traces. Since, in particular, it 
holds that C(0,0) and ORN = ORN (0), ORN' = ORN '(0), the result follows. 
The characterization of Theorem 1 will be exploited in the next section, where 
we establish anonymity results for onion and coconut routing. 

4 Anonymity Properties of Onion Routing 

In this section, we determine the anonymity group for senders and receivers 
engaged in a message exchange via onion routing based on the formal definition 
presented in Section 2. For the instantiation of Definition 1 we have to pick a 
system, a subset of observable actions, a set of compromised keys, a class of 
selection functions and a user attribution. The system under consideration is 
ORN with set of traces Tr(ORN). We split the set of actions by considering 
inputs and outputs to be invisible and communications to be observable, thus 
-dobs = { comm(r, r' , 0 ) \ r,r' £lZ,o G O}. Furthermore, we fix a set CN CIZoi 
compromised nodes, i.e., a set of routers r of which the secret key corresponding 
to the public key pk(r) is known to the intruder. Hence, the set K of compromised 
keys consists of { pk(r) \ r G CN} that are no longer safe to use. The anonymity 
analysis below is with respect to the observational equivalence ~ 0 bs induced by 
the observables -4 0 bs and bad keys K. 

The selection functions, that select the observable action of interest in a trace, 
are restricted to functions that point beyond a proper initialization prefix. More 
concretely, part of the anonymity results below depend on the fact that a router 
has both been recorded as a receiving and as a sending host in the trace, earlier 
than the selected subtrace. So, we want to distinguish an index N t such that 

Vr € 1Z3n\, n .2 < N t : t[n{\ = comm(ri,r, o\) A t[ri 2 ] = comm(r , r2, 02) 

for some routers 77, r2 £ K, 01, 02 G O. For such an index N t to exist at all, we 
assume a fairness condition stating that every input and communication action 
have a successor action (communication or output) in the trace. In terms of the 
causality relation -< , to be defined in a minute, we require, for a trace t of ORN, 
to hold that 

Vi G N: t[i] ^ output (•, •) — » 3j G N : i -< t j. 
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The requirement is not only technically convenient, but, more importantly, it is 
plausible as well. For it is realistic to postulate, that the intruder can not oversee 
a whole infinite trace, but only a finite part of it. Therefore, it is safe to start 
from the assumption that finite subprocesses will terminate within an infinite 
trace. 

The alternative characterization of ORN captured by Theorem 1 states that 
a trace t of ORN is an interleaving of subtraces of the form OR(u,v,m,p ) for 
users u and v, message m and path p £ path(p(u), p(v)). In general, this does 
not provide a unique decomposition of the trace t. There are multiple ways to 
merge the finite subtraces OR(u,v,m,p) into an infinite trace t. Even more so, 
if, e.g. due to retransmission, actions can have several occurrences in a trace. 
For our purposes it suffices to choose, for every position n of t, a particular sub- 
trace w = OR(u,v,m.,p) such that n £ dom(w) (exploiting the partial function 
interpretation of traces). More precisely, define for a trace t the relation -< on N 

by 

n ~< m -<==>• t[n] = input(u,v,m), t[m\ = Comm(r,p, (v,m))[ 1], 

u,v £U,m £ At, r = p(u),q = p(v),p £ path(r , q), or 
t[n\ = Comm(r,p,o)[i], t[m] = Comm(r,p,o)[i + 1], 
r £ lZ,p £ path(r), o £ O, i £ N, or 
t[n\ = Comm(r,p, (v,m})[ k], t[m] = output(y,m), 
r £lZ,v £lA,m £ M.,k = len(Comm(r, p, (v, m})), 
q = p(v),p £ path{r, q ) 

such that W, n < t < m: t[i\ ^ t[m\. Then w = OR(u,v,m,p), with finite 
domain dom(w) = { *o, *i, • • ■ , *fc, U-+i }> is the subtrace of t for position n if 
n £ dom(w), i 0 -< t i\ < t ■ ■ ■ < t i k ~< t h+i, [*o] = input(u,v,m), t[h, ... ,i k ] = 
Comm(r,p , (■ v,m )), and t[i k + 1 ] = output(v,m). 

We define, for a selection function <r, the sender attribution function and 
receiver attribution function o£, in full a%, a r G : Tr(ORN) — > U by a%(t) = u and 
a r a (t) = v if OR(u,v,m,p ) is the subtrace of t for position a(t). 

Having observational equivalence and attribution in place, we continue with 
discussing two properties of onion routing that will be used in the proofs of 
anonymity results below. The first property states how a sequence of communi- 
cations can be cut in two. See Figure 5. 

Lemma 1 (path decomposition). Let r,r' £ 1Z, p £ path(r,r'). Let q be a 
router on p such that p = Pi ■ q ■ P 2 for suitable path pi and P 2 ■ Then it holds 
that CommlyS^p.o) = Commas, p i • g, pack(p 2 , o)) • Comm(q,p 2 ,o). □ 



The second property that we will exploit in the analysis below, states that if 
an outgoing communication comm(r,r',o) from a router r does not originate 
from an input of a user of r, then there must be an earlier incoming commu- 
nication comm(r" , r, o') such that the outgoing onion o is obtained from the 
incoming onion o ; by peeling off one skin. See Figure 4. 
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Lemma 2 (cross over). Let r £ 1Z, a a selection function and t a trace such 
that aft) — i, t[i\ = comm{r,r' ,o). 

(a) If a s a (t) site(r), then j -< i, t[j ] = commfr" , r, o') and o' = pack(r ' , o) for 
some j < i, r" and o' . 

(b) If a r a {t) ^ site(r'), then i -< k, t[k\ = comm(r' ,r" , o') and o = pack(r',o') 

for some i < k, r" and o' . □ 

We first consider the case of anonymity for senders. We distinguish between the 
situation where the key of router of the site is or is not compromised. As a 
consequence of Theorem 2 we have that, no matter how many keys have been 
leaked, the anonymity of a user is save as long as the key of its router is. 

Theorem 2. For a set of compromised nodes CN, onion routing has the follow- 
ing anonymity groups for senders: AG s (u) = U if p(u) CN, and AG s (u) = 
site(u) otherwise. □ 

The proof of the theorem exploits Lemma 1, in case p(u) (j CN, to construct, 
for any trace t of ORN with a* (t) = u, an alternative trace t' of ORN such that 
a%{t') = v! . If p(u) € CN, then, we construct a particular trace t with a%(t) = u 
and use Lemma 2 to rule out that any observational equivalent trace t! can be 
attributed to a user v! not in sitefu). 

Next, we turn to the receiver. In the proof of Theorem 2 we exploited the initial- 
ization condition which helps in prepending subbehaviour to the subtrace under 
consideration. For the case of the receiver we call upon the fairness assumption 
in order to find subbehaviour that extends the particular subtrace. 

Theorem 3. For a set of compromised nodes CN, onion routing has the fol- 
lowing anonymity groups for receivers: AG r (v) = U if ro uter(v) CN, and 

AG r (v) = {u} otherwise. □ 

The proof of Theorem 3 is in the same vein as that of Theorem 2. 

For comparison, we next consider the coconut case. Recall that in our model 
for coconut routing, packets are decrypted but not encrypted again at the node. 
Instead, the original encrypted packet is forwarded. 
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Theorem 4. Coconut routing has for senders the anonymity groups AG s (u) = 
site(u), and, for receivers the anonymity groups AG r (v) = site(v) if the key k is 
not compromised, but AG r (v) = {i>} otherwise. □ 

Theorem 4, which can be proven along the same line as its onion routing coun- 
terparts, shows the weakness of our artificial coconut routing scheme. However, 
if incoming messages are decrypted and encrypted again using a randomized 
symmetric encryption schema the above reasoning does not apply. Then, the 
difference of onion routing vs. coconut routing lies in the robustness. If the sin- 
gle symmetric key is leaked, coconut routing breaks down, whereas for onion 
routing users at uncompromised sites remain anonymous. 

The above analysis establishes the anonymity groups given the choice of pa- 
rameters to the problem. A number of variations have been considered by way 
of experiments for our definition of anonymity groups. For example, instead of 
restricting the selection functions to the class £ one can allow arbitrary selec- 
tions, but demanding that each router sends itself a fake message over a random 
path. This does not affect the anonymity results. However, the sender anonymity 
drops to an isolated site for senders, but not for receivers if such a randomized 
initialization phase does not take place and general selection functions are al- 
lowed. Another line of variation is in the fairness assumptions or in the definition 
itself. A concrete alternative is to consider ‘windows of observation’, leading to 
a set-up that is simpler than the one with selection functions, but unintuitive 
results (as one can claim behavior just outside the window of the intruder). 
In fact, one could argue that the selection functions form a generalization of 
considering finite prefixes. A protocol, that we baptized kiwi-routing employs 
symmetric keys that are shared among pairs of routers. This protocol is weaker 
than coconut routing (whence the naming) in the sense that it breaks down as 
soon as one of the many shared keys gets compromised. 

5 Conclusion 

The achievements of our research are twofold. First of all, we have given a general 
and formal definition of anonymity in a trace model. Main parameters of this 
definition are the attribution function which assigns to each trace a user, and 
the capabilities of the intruder. This allows us to calculate a user’s anonymity 
group, i.e. the collection of other users that cannot be distinguished from this 
user by the intruder. Our definition is of a qualitative nature and discards quan- 
titative aspects. This means that we only consider statements such as “could this 
behaviour be attributed to some other user”, rather than “what is the chance 
that this behaviour is caused by some other user”. It is our believe that a for- 
mal quantitative analysis of a security protocol can only be achieved after first 
having developed a proper qualitative analysis methodology. In future research 
we wish to investigate the use of tool support to analyze privacy protocols and 
to adapt our approach to a quantitative setting. 

The second result of our research is the formalization of a basic onion routing 
protocol and its analysis. By abstracting from several details we were able to 
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concentrate on what we consider the protocol proper and to formalize some of 
the insights expressed by the designers of the protocol. By varying over the 
user attribution function we could analyze the anonymity of both the receiver 
and sender of some intercepted message. Reasoning about different attribution 
functions, such as “did u ever send a message”, follows the same line. Due to the 
restrictions on the intruder’s choice function, we were able to express conditions 
on the initialization of the protocol that guarantee full privacy. It is not the case 
that during this initialization phase senders of messages can be traced back. The 
size of a user’s anonymity group expands during this phase until it comprises all 
other users. It would be interesting to express the anonymity group of each user 
during initialization as a closed expression. 

One of our aims was to understand why the onion routing protocol has its 
current shape and under which conditions its privacy properties are satisfied. 
Thereto we compared it to several weaker protocols, of which we have discussed 
the coconut routing protocol here only. This comparison explains what the im- 
plications are of simplifying the layered messages. Coconut routing hardly guar- 
antees privacy. While performing our analysis, it turned out quite naturally that 
the onion routing protocol requires randomized encryption to guarantee full pri- 
vacy. Without such randomization the protocol is vulnerable to guessing attacks, 
when the intruder seeks to relate incoming and encryptions of outgoing traffic. 

It would be interesting to analyze more complex versions of the onion rout- 
ing protocol, such as an extension of the protocol with connections, like in the 
original onion routing protocol. Further validation of our methodology would 
not only require to consider other protocols, but also stronger intruder models. 
In the case of the onion routing protocol it is conjectured that an active intruder 
could not threaten privacy more than a passive (eavesdropping) intruder. Since 
denial-of-service attacks is a topic of research of its own, we will not consider 
these attacks in the course of our privacy research. 

A final topic of future research is the formalization of other privacy no- 
tions, such as unlinkability, pseudonymity and unobservability. Initial research 
indicates that their formalization follows the same line as the formalization of 
anonymity. 
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Abstract. The recent approach of a model-based framework for stega- 
nography fruitfully contributes to the discussion on the security of stega- 
nography. In addition, the first proposal for an embedding algorithm 
constructed under the model-based paradigm reached remarkable per- 
formance in terms of capacity and security. In this paper, we review the 
emerging of model-based steganography in the context of decent ste- 
ganalysis as well as from theoretical considerations, before we present 
a method to attack the above-mentioned scheme on the basis of first 
order statistics. Experimental results show a good detection ratio for a 
large test set of typical JPEG images. The attack is successful because of 
weaknesses in the model and does not put into question the generalised 
theoretical framework of model-based steganography. So we discuss pos- 
sible implications for improved embedding functions. 

1 Introduction 

Steganography is the art and science of hiding information such that its pres- 
ence cannot be detected. Unlike cryptography, where anybody on the trans- 
mission channel notices the flow of information but cannot read its content, 
steganography aims to embed a confidential message in unsuspicious data, such 
as image or audio files [18]. Like in cryptography, the Kercklroffs principle [16] 
also applies to steganography: Security relies on publicly known algorithms that 
are parameterised with secret keys. 

Steganalysis is the task to attack steganographic systems. For a successful 
attack, it is sufficient for an adversary to prove the existence of a hidden message 
in a carrier even if she cannot decrypt the content. Whereas in most cases the 
existence of steganography can only be expressed in probabilities, the literature 
suggests a somewhat weaker notion for successful attacks. A steganographic 
algorithm is considered as broken if there exists a method that can determine 
whether or not a medium contains hidden information with a success rate better 
than random guessing. 



1.1 Related Embedding Schemes and Successful Attacks 

Judging from the set of available steganographic tools, digital images are the 
most popular carrier for steganographic data, likely because of being both op- 
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erable and plausible. The plausibility of steganographic target formats increases 
with the amount of data transmitted in the respective format. Regarding the 
WWW and E-mail, JPEG images are widely used, and therefore they are an 
ideal target format. 

Jsteg [22], released in 1993, is probably the first steganographic tool to em- 
bed into JPEG images. Embedding is accomplished by replacing the least signif- 
icant bits of quantised coefficients that describe the image data in the frequency 
domain. Even though, this simple method can be reliably detected with the 
Chi-square attack (y 2 ) [26]. This attack exploits the pair wise dependencies of 
adjacent bins in the histogram, which occur after embedding of uniformly dis- 
tributed message bits. 

To prevent this attack, the algorithm F5 [24] uses a different embedding 
function, adapting the least significant bits to the message by decreasing the co- 
efficients’ absolute values. In addition, F5 implements two steganographic tech- 
niques to lower the risk of detection for messages below the full capacity. Matrix 
encoding [4] minimises the amount of modifications per message bit by carefully 
selecting the modified coefficients. A permutative straddling function spreads the 
message equally over the whole image. 

OutGuess [19], another algorithm, also replaces the least significant bits, but 
additionally introduces correction bits to preserve the first order statistics. Thus, 
it is not vulnerable to the Chi-square attack. OutGuess voluntarily limits the 
maximum steganographic content to 6 % of the file size (about half as much as the 
before mentioned algorithms support) in order to realise plausible deniability: At 
first, a secret message is embedded together with error correction codes. Then, a 
second harmless message can be embedded, which acts as alibi for the case that 
the concealed communication is actually discovered. 

Both OutGuess and F5 can be detected by computing calibrated statistics. 
Uncompressing a JPEG image and re-compressing it after a slight transforma- 
tion in the spatial domain accomplishes this. A comparison of both marginal 
statistics, of the examined image and of the re-compressed image, reveals the 
existence of a hidden message [10, 11]. 

Apart from targeted attacks, which are constructed for particular embedding 
functions, blind attacks [17, 7] do not assume knowledge about the functionality 
of particular algorithms. Blind methods extract a broad set of statistical features, 
which might be subject to changes due to embedding. Then, a classifier is trained 
with a large number of typical images, both pristine carriers and stegotexts. 
Although suffering from lower prediction reliability than targeted attacks, blind 
attacks have the advantage of easy adaptability to new embedding functions. 
While in this case targeted attacks have to be altered or redesigned, blind attacks 
just require a new training. 

1.2 Towards Model-Based Steganography 

There have been several attempts to formalise the security of steganographic 
systems from an information theoretic point of view. Based on Anderson and 
Petitcolas’ [1] initial idea to argue with entropy measures of carrier, stegotexts, 
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and hidden messages, Zollner et al. [29] show that information theoretical secure 
steganography is not feasible in general. As a result, they introduce the notion 
of an in- deterministic steganographic function. This concept implies that the 
steganographic carrier, represented as random variable X = (A<j e t, ATi n <j e t), can 
be split up into a deterministic part Ad e t and an in-deterministic part Ai n <j e t- 
Zollner et al. assume that an adversary has knowledge about deterministic parts 
of a carrier, ranging from general assumptions about marginal distributions - 
for example, the typical macro structures of natural images - to specific infor- 
mation about an actual carrier, such as the possibility to verify the accuracy of a 
digitised photograph by comparing it to the depicted scene. Hence, the determin- 
istic part must not be altered to carry steganographic data. The in-deterministic 
part, however, is assumed to be uniformly distributed random noise, which has 
been introduced, for example, by quantising the signal with an analogue-digital 
converter. Apart from meta- information, such as proportion and marginal distri- 
bution, the adversary has no knowledge about the actual shape of Ai n <j e t- Under 
this assumption, Xi n d e t can be replaced with a similar distributed payload mes- 
sage A;^ det (i. e. , compressed data can be considered as uniformly distributed) 
to compose a stegotext X* = (A<jet, A;^ det ). 

Though this approach sounds simple in theory, its practical application suf- 
fers from the problem to separate A; n <jet from Ad e t- This separation is not only 
complicated by the varying qualitative assumptions about which information an 
adversary can gain about the carrier - in more general terms, this is a ques- 
tion of the adversary model -, but also by the difficulty to consider all possible 
dependencies between 

1. the “noise” and the structure of a carrier, and 

2. the intra-dependencies within the “noise” part 1 . 

So, most attempts to separate Xj e t from Xi n d e t are rather naive. The most widely 
used one is least significant bit (LSB) embedding, which implicitly assumes the 
k LSBs as A; n det, and the remaining bits as Xd e t- A couple of successful attacks 
against this scheme [5, 9, 12, 26, 28] proves the inadequacy of this approach. 

Also arguing with information theory, Cachin [3] describes the relation of 
the relative entropy between the probability distributions of carrier data and 
stegotexts to the error probabilities in a hypothesis test of a passive adversary. 
He introduces the concept of ^-security, denoting an upper bound for the binary 
relative entropy d(a, /3 ) < e. In steganographic hypothesis tests, a is the proba- 
bility that the adversary falsely suspects a hidden message in a pristine carrier 
(also false positives, or type I error), and f3 is probability that the adversary 
does not detect a hidden message ( misses , or type II error). 

These information theoretic considerations, however, seemed to have only 
marginal influence on the design of specific steganographic algorithms. Eventu- 
ally, Sallee’s work [21] contributes to remedy this unsatisfactory situation. His 
proposal of a model-based approach to steganography can be interpreted as an 

1 We put the term noise in inverted commas, because if it were real (i.e., uncorrelated) 
noise, we would not face the described problems. 
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evolutionary combination of the above mentioned concepts coupled with strong 
implications for the design of steganographic algorithms. 

Model-based steganography adapts the division of the carrier into a deter- 
ministic random variable Ad e t and an in-deterministic one Alindet 2 - In contrast to 
the previous approaches, model-based steganography does not assume ATi n d e t to 
be independently and uniformly distributed. Therefore the developers propose to 
find suitable models for the distribution of Xi n( jet, which reflect the dependencies 
with Xdet- The general model is parameterised with the actual values of Adet of 
a concrete cover medium, which leads to a cover specific model. The purpose of 
this model is to determine the conditional distributions P(ATi n det|ATdet = Xdet)- 
Then, an arithmetic decompression function 3 is used to fit uniformly distributed 
message bits to the required distribution of ATi n d e t, thus replacing Ad„d e t by 
Auiidet’ which has similar statistic properties and contains the confidential mes- 
sage. Figure 1 shows a block diagram of the general model-based embedding 
process. 




Encrypted 

Message 



Fig. 1 . Block diagram of the principles of model-based steganography 

In addition to these general considerations, the initial work on model-based 
steganography contains a proposal for a concrete embedding function for JPEG 
images in the frequency domain. The purpose of this paper is to point to weak- 
nesses of this concrete model, which allow an adversary to separate stegotexts 
from innocuous images. 

The remainder of this paper is structured as follows: In the next section we 
explain the functionality of the actual embedding scheme, before we discuss its 
weaknesses in Section 3 in order to construct an operable attack. In Section 4, 
we report experimental results evaluating the performance of the presented de- 
tection method. In the final Section 5, we discuss the insights in a more general 
context and derive implications towards ever more secure steganography. 

2 Model-Based Steganography for JPEG Images 

In this section, we briefly explain the steganographic algorithm for JPEG images 
proposed in [21]. As we acknowledge the theoretical framework of the model- 
based approach, we expect further development under the new framework. So, 

2 Sallee [21] denotes AJndet as X a and Adet as Xg. We do not follow this convention 
because the symbols a and /3 usually stand for error probabilities and might lead to 
confusion in other contexts. 

3 The idea of employing a decompression functions to generate arbitrary target dis- 
tributions has been described in the literature as mimic function [23]. 
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Cauchy Model of JPEG DCT Histogram 




Quantised value k of DCT (2- 2) coefficient 



Fig. 2. Typical histogram of JPEG coefficients and approximated Cauchy distribution 
with data points. The frequency of the low precision bins is not modified during 
embedding 



we will refer to the examined method as MB1, because it was the first one derived 
from the general considerations of model-based steganography. 

Standardised JPEG compression cuts a greyscale image into blocks of 8 x 8 
pixels, which are separately transformed into the frequency domain by a two 
dimensional discrete cosine transformation (DCT). The resulting 64 DCT coef- 
ficients, (i,j) : i,j = 1, ... ,8, are quantised with a quality dependent quanti- 
sation step size and further compressed by a lossless Huffman entropy encoder. 
The MB1 algorithm, as most steganographic schemes for JPEG files, embeds 
the steganographic semantic by modifying the quantised values. This ensures a 
lossless transmission of the hidden message bits. 

Since individual modifications are not detectable without knowledge of the 
original values, an attacker reverts to the marginal statistics over all blocks of an 
image. Hence, the MB1 algorithm has been designed to preserve these distribu- 
tions. Figure 2 depicts an example histogram of a selected DCT( 2 , 2 ) coefficient. 
The histogram shape is typical for all JPEG DCT coefficients except DCTp ^, 
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which are therefore excluded from embedding (i. e., the DCT( 1:l ) coefficients 
belong to A de t)- 

(i i) 

Let us denote h k as the number of quantised DCT(jj) coefficients equal to 
fc in a given image. We will further refer to this quantity as the fc-th high precision 
bin of the histogram /(*■*’ By contrast, the low precision bins comprise several 
high precision bins. Without restricting generality, we focus on the case when a 
low precision bin b k ’ ( k ^ 0) contains exactly two high precision bins, so that 

f h 2 kl 1 + h 2 k j) for fc < 0 

b^’ j) = l h { d' j) for fc = 0 

( 4fc - 1 + h 2 k ] for fc > 0 . 



To avoid the case differentiation and simplify the notation, we will write 
further equations only for fc > 0. Furthermore, q £ [0,1] denotes the quality 
parameter of a JPEG compression that is used to compute the quantisation 
tables. 

(i l) 

The MB1 algorithm defines the size of the low precision bins b k as part of 
Adetj while the distribution within the low precision bins (i.e., the correspond- 
ing high precision bins and ^hk ' > ) considered as part of Ai nde t- The 

embedding function alters the quantised DCT coefficients, so that 



1. the new values belong to the same low precision bin, and 

2. the conditional distribution of /4fc-i aR d from a given keeps 

coherent according to a model. 



This is accomplished by altering coefficient values of 2 fc — 1 to 2 fc and vice versa. 
In contrast to simple LSB overwriting, the conditional probabilities of occurrence 
P ( Ajndet | Adet = £det)> actually -P(^ 2 fc-i )’ are derived from the model in 

dependency of the low precision bin b k ’. As it is obvious that the probabilities 
for all high precision bins sum up to 1 in each low precision bin, 






) = 1 > 



V i,j, fc, 



we further refer only to the -P(^ 2 fc-i ) as Pk'^ ■ The required p k ’ is adjusted 

to the shape of a Modified Generalised Cauchy (MGC) distribution /(fc, 7r, s): 

(i,j) = /( 2fc~ 1 ,tt,s) 

Pk /(2fc — 1, 7r, s) + /(2fc, 7T, s) 

The density function of the MGC distribution applied is defined as follows: 

/(fc, 7r, s) = H-iflfc/al + l)-* 
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The scale parameter s and the location parameter it are computed separately 
for all DCT modes by a maximum likelihood estimation over the low precision 

bins Then, p k ' is determined for all low precision bins b k \k yf 0 of 

(i i) 

each DCT mode, but DCT( 1> i) coefficients and zero value coefficients b 0 are 
excluded from embedding. An arithmetic entropy decoder [27, cited from [21]] is 
used to fit the compressed and encrypted - thus uniformly distributed - message 
bits to ~ U to a discrete vector with defined symbol probabilities p k and 
1 - p™ 4 . As &W) is not modified due to embedding, the receiver can re- 
compute the model parameters and thus extract the message. 

One way to evaluate the performance of an embedding algorithm is the em- 
bedding efficiency. According to [24] , the embedding efficiency in JPEG files can 
be defined as the average message bits encoded per change of a coefficient. The 
application of an arithmetic decoder is an elegant way to achieve an exception- 
ally high embedding efficiency. Sallee reports embedding efficiencies between 2.06 
and 2.16 bits per change for test images with q = 80% [21]. Other decent algo- 
rithms achieve values between 1.0 and 2.0 (OutGuess), or just under 2.0 (F5) 5 . 
Also in terms of capacity, MB1 performs on the upper end of the range. The 
capacity is defined as ratio of message bits per transmitted bits. MB1 reaches 
values of just under 14%, which is slightly better than F5 and Jsteg (about 13% 
and 12%, respectively), and clearly above OutGuess (below 7%). 

Being explicitly designed as proof of concept, the developers of MB1 concede 
that the simple model does not include higher order statistics. However, they 
claim it to be “resistant to first order statistical attacks” [21, p. 166]. First order 
statistics are all measures describing data regardless of the inter-dependencies 
between observations, such as mean, variance, and histograms. Higher order 
statistics consider the relationship between observations and their position in the 
dataset; for example correlations between adjacent pixels in an image. As a rule 
of thumb, if the results of a statistical measure are invariant to any permutation 
of the data, then it is first order statistics. 

Until today, none of the existing attacks against other algorithms also works 
on MB1, and no targeted attack has been published. Though, it is not surpris- 
ing that a blind attack with special second order features, such as blockiness 
measures and co-occurrence tables, can discriminate between plain carriers and 
MB1 stegotexts [7]. But according to the outlook in the initial paper, we soon 
expect improved methods also taking into account some second order statistics. 
Whereas research clearly goes into this direction, it is somewhat important and 
also surprising that MB1 steganography is also vulnerable from the believed safe 
side: In the following section, we present a detection method which is completely 
based on first order statistics. 



4 The use of a de-coder might sound surprising, however, entropy considerations sug- 
gest that the length of the symbol stream increases with the skewness of the target 
distribution. For all 7 ^ 0.5 the amount of symbols and of consumed coefficients 
dominates the length of the message bit stream. 

5 Matrix encoding in F5 leads to higher efficiencies if the capacity is not fully used. 
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DCT Histogram: Non-conforming Bin 



<-C 

l-C 




-c 




Quantised value k of DCT(, y ) coefficient 



(i i) 

Fig. 3. Example DCT histogram with non-conforming bin b_ . The divergences in 
the carrier between actual frequency and Cauchy-based expected frequencies disappear 
after MB1 embedding 



3 Detection Method 

The main idea of the proposed attack can be summarised as follows: Although 
the Cauchy distribution generally fits well to the DCT histograms, there are 
outlier bins in natural images. After embedding, these non-conforming bins are 
adjusted to the density function of the model distribution. 

The construction of an attack can be structured into two steps: First, a test 
discriminates non-conforming bins from conforming ones. The test is run on all 
independent low precision bins of a particular JPEG image. Second, the count 
of positive test results is compared to an empirical threshold value for natural 
carrier images. If a questionable image contains less non-conforming bins than 
plain carrier images usually have, it is likely that the histograms are smoothed by 
the MB1 embedding function and thus, the image is classified as steganogram. 

Figure 3 depicts a DCT histogram with a typical outlier in the low precision 
bin 6_i. The bins are excluded from embedding, so the respective bars are 
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blanked out in the histogram. It is clearly visible that the original frequencies 
h-i and h- 2 (left bars of the triples) differ from the expected frequencies (middle 
bars) . The expected frequencies and the frequencies in the stegotext (right bars) 
are fitted to the same level. 

The differences can be measured by a contingency test between the observed 
frequencies and expected frequencies of both high precision bins represented in 
one low precision bin. To calculate the expected frequencies, we model the symbol 
output of the arithmetic decoder as a Bernoulli distributed random variable Y (p) 
with p = p < '}!’ J> 6 . So the high precision histogram bins of stegotexts /i^ J ) follow 
a Binomial distribution 



u 2k-l 
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,p“ .and 


h^ j ) , 
ri 2k 


~ B(b fo 


'.i-AA 



The expected frequencies are given by the expected values of B: 






„(fo')\ 






An adversary can compute these values by refitting the model for p^’ :l> be- 
cause the low precision bins are not altered. Then a contingency table is used 
to perform Pearsons ’s %-test, whether or not individual low precision bins are 
conform to the model (see Table 1). The distribution function Q(y 2 , df) of the y 2 
distribution gives an error probability for the null hypothesis that the contrasted 
frequencies are independent. The test will reject the null for non-conforming bins 
if P < P\un ■ 



Table 1 . Contingency test for non-conforming low precision bins 
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P = Q( X 2 , df = 1) 



To explore the average count of non-conforming bins in typical JPEG images, 
contingency tests are run on the low precision bins and b^’p for 63 DCT 
modes of a set of 100 JPEG images (altogether 126 tests per image). These 
images were randomly drawn from a large number of digital photographs with the 

6 The assumption that the symbol output is drawn from a Bernoulli distribution is a 
worst case assumption. Any “better” arithmetic decoding algorithm would - apart 
from reducing the entropy - on average fit the stegotext bin sizes closer to the 
expected sizes and thus lead to more arbitrable contingency tests. 
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Differences between Plain Carrier and MB1 Stegotext 




0 20 40 60 80 100 



Sorted case index 



Fig. 4. Non-conformities with the assumed Cauchy distribution are typical for JPEG 
images. MB1 is detectable because it erases these particularities 



resolution 800 x 600 and a JPEG quality parameter of q = 0.8. Figure 4 contrasts 
the results to 100 full capacity stegotexts created from the same carriers. It is 
obvious that a threshold of, say, Cu m = 3 can quite reliably discriminate the two 
sets. 

At last, two more details of the contingency test are worth to mention: First, 
as the test is unreliable for low frequency numbers in any of the cells, tables 
with a minimal cell value below 3 are excluded from the evaluation. Second, 
the reliability of the test depends on the number of DCT coefficients unequal 
to zero. Since this number varies both with the size of the test image and with 
the quantisation step size derived from q , the critical probability pi; m has to 
be adjusted to the above mentioned parameters. This method allows an opti- 
mal differentiation in terms of low error probabilities a and (3 of the stegotext 
detection. 

4 Experimental Results 

The reliability of the proposed detection method was assessed using a test 
database of about 300 images from a digital camera 7 . To reduce unwanted in- 
fluences or atypical artefacts due to previous JPEG compression [8], all images 
were scaled down to a resolution of 800 x 600 pixels and stored as JPEG with 
six different quality settings, q = 0.4, 0.5, . . . , 0.9. In all experiments, only the 
luminance component of colour images has been regarded. All analyses were 
accomplished with the R Project for Statistical Computing [20,14]. 

Sony Cybershot DSC-F55E, 2.1 mega-pixel. 
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To generate comparable histogram sets of plain carrier and steganograms, 63 
DCT histograms were extracted from all images. The plain carrier histograms 
were transformed to equivalent stegotext histograms by replacing the high pre- 
cision bins with random numbers drawn from a Binomial distribution, using 
before determined parameters from the model: 
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Furthermore it is obvious that limiting capacity leads to smaller changes in 
the histograms and thus shorter messages are less detectable. To estimate this 
effect we also varied the capacity usage in 10 levels from full capacity down to 
10 % for all test images and quality factors. This leads to a set of 1.2 M stegotext 
DCT histograms (equivalent to 18,120 stegotext images), which were compared 
to the same amount of plain carrier histograms. Explorative analyses of suitable 
bins for the contingency test revealed that the bins b^’p and yielded to 
the best results for all DCT modes. So, all other bins were excluded from the 
evaluation. 

In a first experiment, the proposed attack was run on a subset of this database 
with 100% capacity usage and q = 0.8. Here, all images could be correctly 
classified with py rn = 0.014 (corresp. y 2 = 6, df = 1). The threshold cn m = 2 
was fixed in all experiments. Attacks on steganograms with lower capacity usage 
or lower q cause misclassifications. The number of false positives (cc) and misses 
(/3) depends on the choice of the threshold parameters. 

To further explore the relationship between a and /?, the attack was repeated 
multiple times with different py ml € [0.0001,0.2] 8 , and the resulting error rates 
were plotted in a receiver operating characteristics (ROC) diagram shown in 
Figure 5. Here again, we reached good discriminatory power for capacity usages 
higher than 80%, and still acceptable detection rates for capacities above 50%. 
Hence, we can state that the MB1 algorithm is broken with first order statistics. 

The qualitative interpretation of the shape of ROC curves can be quantified 
in an aggregated measure of the reliability of a detection method. Unfortunately, 
different quality measures in the literature complicate comparisons between dif- 
ferent studies. Some authors argue with the probability (1 — (3) for a fixed pro- 
portion of false positives, say a = 1 % [17]. Others compare a values for a fixed 
detection rate of /? = 1 — /3 = 50% [15]. In this paper, we follow the third ap- 
proach from [7] , which reflects both a and /3: The detection reliability p is defined 
as p = 2 A — 1, where A is the area under the ROC curve. It is normalised, so 
that p = 0 indicates no discriminatory power at all (i. e., random guessing) and 
p = 1 stands for a perfect detection. 

Table 2 reports the empirical p values derived from the test images for dif- 
ferent allocations of capacity, and different quantisation factor q. The minimum 



In fact, varying the underlying threshold leads to equivalent results since the 
(computing intensive) transformation function Q is strictly monotonic decreasing. 
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Receiver Operating Characteristics 




Fig. 5. Dicriminatory power of attacks on MB1 for different capacity usages 



embedding rate that is detectable under the arbitrary definition of ‘reliablility’ 
stated in [15], namely a = 5% and [3 = 50%, is about 45% of the capacity of 
JPEG images with q = 0.8. Note that these figures reflect average estimations. 
The actual detectability is likely to vary for certain carrier images. 

5 Discussion and Conclusion 

It is important to emphasise that this vulnerability of the MB1 scheme is rather 
a problem of the specific model used in the scheme, than a weakness of the 
general approach of model-based steganography. Having said this, the successful 
attack is still somewhat surprising, because the theoretical considerations given 
in the original paper [21, p. 166] suggest that possible vulnerabilities come from 
analyses of higher order statistics, which are not reflected in the model. However, 
the proposed detection method only uses characteristics of first order statistics, 
which were considered as safe. 

The remainder of this section addresses three open subjects. First, we point to 
limits of the proposed attack and propose future improvements. Then, we discuss 
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Table 2. Experimental attacks: Detection reliablility p 



Capacity 

usage 


Avg. message size 
per file size 






JPEG quality q 






0.9 


0.8 


0.7 


0.6 


0.5 


0.4 


100% 


13.1 % 


1.0000 


1.0000 


0.9999 


1.0000 


1.0000 


0.9979 


90% 


11.8% 


1.0000 


1.0000 


0.9997 


1.0000 


0.9996 


0.9963 


80% 


10.5% 


0.9989 


0.9982 


0.9949 


0.9970 


0.9940 


0.9826 


70% 


9.2% 


0.9890 


0.9850 


0.9797 


0.9777 


0.9740 


0.9596 


60% 


7.9% 


0.9593 


0.9527 


0.9440 


0.9322 


0.9292 


0.9202 


50% 


6.6% 


0.9012 


0.8898 


0.8782 


0.8615 


0.8552 


0.8519 


40% 


5.2% 


0.8057 


0.7906 


0.7796 


0.7624 


0.7509 


0.7516 


30% 


3.9% 


0.6576 


0.6476 


0.6457 


0.6185 


0.6063 


0.6180 


20% 


2.6% 


0.4568 


0.4549 


0.4583 


0.4295 


0.4214 


0.4362 


10% 


1.3% 


0.2289 


0.2294 


0.2357 


0.2160 


0.2133 


0.2252 



The ROC curves for values printed bold-face meet a reliability criterium of 
more than 50 % detection rate with less than 5 % false positives. 



possible countermeasures to prevent this attack, before we finally conclude with 
more general implications for the design of new and better embedding functions. 

This attack is considered as proof of concept and as first step towards more 
precise attacks. It has been mainly driven by the feeling that an embedding 
algorithm offering a payload capacity of about 13% of the transferred data is 
very likely to be detectable with a targeted attack. Similar to the evolution 
of attacks against LSB steganography after the publication of [26], we expect 
that this existential break will lead to far better attacks, which shall be able to 
estimate the hidden message length and thus will even detect tiny messages. 

A possible extension to this attack can be the anticipation of common image 
processing steps. As the experiments were run on a limited set of test images 
directly loaded from a digital camera, we cannot generalise our results to all 
kind of carrier data. At first, computer generated images may have different 
characteristics than natural images. This is a reason why the literature suggests 
that this type of carrier should be avoided for steganography [18]. Even though, 
natural images are often subject to image manipulation. It is likely that some 
of these algorithms, e. g. blurring, also result in smoother DCT histograms. The 
challenge to detect these manipulations in advance and thus reduce the number 
of false positives, or even to distinguish between “white collar” image processing 
and “black hat” Cauchy-based steganography, is subject to further research. 

Thinking about possible countermeasures, the ad hoc solution is as old as 
digital steganography, namely a reduction in capacity usage. Nevertheless it is 
an interesting research question, how this limitation can be optimally accom- 
plished for model-based steganography. Whereas the conditional distributions 
for individual bins depend on the deterministic part Xd e t> a careful selection of 




138 



Rainer Bohrne and Andreas Westfeld 



the skipped bins or coefficients may lead to a far better ratio between security 
and capacity, than random selection. A similar approach is described in [6]. This 
method exactly preserves the low precision bins without a model - albeit in 
the spatial domain of losslessly compressed images, and in a less optimal man- 
ner. Therefore it is not vulnerable to attacks on first order statistics, but still 
detectable due to other flaws [2]. 

Refining the model could be another promising countermeasure. As a rather 
fussy preservation of the properties of the actual carrier is often superfluous and 
also complicates the embedding function, we could imagine to model a certain 
amount of non-conforming bins, and to randomly intersperse the stegotext with 
outliers. 

Despite the specific obstacles of MB1, the model-based approach offers a 
promising framework for the design of adaptive steganograplric algorithms. The 
clear link between information theoretic considerations and the design of actual 
algorithms contributes to structure the research area. A generalisation from the 
concrete vulnerabilities suggests two implications for the design of more secure 
embedding functions. 

First, it is dangerous to give up the information superiority of the colluding 
communication partners. The described attack on MB1 is successful, because an 
adversary can re-compute the model parameters. If the adversary had no access 
to the Cauchy distribution, she would not be able to compute the expected fre- 
quencies. Hence, future algorithms should either consider to make the parameter 
retrieval key dependant, or perform an embedding operation which does not re- 
quire the receiver to know the exact model. The recently developed wet paper 
codes [13] seem to be a promising technique to tackle this problem. 

Second, the reliability of statistical attacks increases with the amount of ob- 
servations. Although MB1 already computes distinct models for each of the 63 
usable DCT modes, an even more detailed segmentation of individually mod- 
elled - and maybe even locally correlated - statistics breaks the steganalyst’s 
advantage of large numbers. Apart from including second order dependencies 
into the models, the challenge to harden future algorithms against the here dis- 
cussed weaknesses can be accomplished by modelling the carrier medium with a 
multiple of key dependent models. 

To conclude, as it is common sense that the ultimate and provable secure 
model cannot exist [1,21,29], the core contribution of this paper is pointing 
out that future models should reflect the particularities that made this attack 
successful. 
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Abstract. We evaluate the anonymity provided by two popular email 
mix implementations, Mixmaster and Reliable, and compare their ef- 
fectiveness through the use of simulations which model the algorithms 
used by these mixing applications. Our simulations are based on actual 
traffic data obtained from a public anonymous remailer (mix node). We 
determine that assumptions made in previous literature about the dis- 
tribution of mix input traffic are incorrect: in particular, the input traffic 
does not follow a Poisson distribution. We establish for the first time that 
a lower bound exists on the anonymity of Mixmaster, and discover that 
under certain circumstances the algorithm used by Reliable provides no 
anonymity. We find that the upper bound on anonymity provided by 
Mixmaster is slightly higher than that provided by Reliable. 

We identify flaws in the software in Reliable that further compromise its 
ability to provide anonymity, and review key areas that are necessary for 
the security of a mix in addition to a sound algorithm. Our analysis can 
be used to evaluate under which circumstances the two mixing algorithms 
should be used to best achieve anonymity and satisfy their purpose. Our 
work can also be used as a framework for establishing a security review 
process for mix node deployments. 



1 Introduction 

The Internet was initially perceived as a rather anonymous environment. Now we 
know that it can be a powerful surveillance tool: anyone capable of listening to 
the communication links can spy on Internet users, while data mining techniques 
are becoming increasingly powerful and more widely accessible. 

Preserving privacy does not only mean keeping information confidential; it 
also means not revealing information about who is communicating with whom. 
Anonymous remailers (also called mixes ) allow their users to send emails without 
disclosing the identity of the recipient to a third party. They also allow the sender 
of a message to stay anonymous to the recipient. 

The objective of this work is to have quantitative results on the anonymity 
actually provided by two mix software implementations in wide deployment, to 
test the actual anonymity provided to the users of the remailer service, and 
to compare the two different designs. We evaluate anonymity in a single-node 
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context. To assess the anonymity provided by the entire remailer network, addi- 
tional considerations are necessary. As individual nodes are the basic component 
to the network of mixes, we aim to provide information to be considered when 
choosing this component. We have used as input real-life data gathered from a 
popular remailer, and simulated the behavior of the mix. 

2 Mixes 

Mixes are the essential building block of anonymous email services. A mix is 
a router that hides the relationship between incoming and outgoing messages. 
The mix changes the appearance and the flow of the message traffic. In order to 
make messages indistinguishable from each other the mix uses techniques such as 
padding and encryption, which provide bitwise unlinkability between inputs and 
outputs. Techniques such as reordering messages delaying them, and generating 
dummy traffic are used to modify the flow of messages. This modification of the 
traffic flow is needed to prevent timing attacks that could disclose the relationship 
between input and output messages by observing the time the messages arrived 
at and left from the mix. 

The idea of mixes was introduced by Chaum [Cha81]. This first design was 
a threshold mix, a mix that collects a certain number of messages and then 
flushes them. Since then, variants on this first design have been proposed in the 
literature. In this paper, we focus on two practical mix designs that have been 
implemented and are part of the Mixmaster remailer network [Cot95] , which has 
been providing anonymous email services since 1995. 

The first design is called “Mixmaster” (as the remailer network) because it 
is descended from the original software program designed by Cottrell 
[Cot,MCPS03]. The second design, called “Reliable”, uses a different reordering 
strategy [RPr99] . The details of the two remailers are explained in the following 
sections. We compare version 3.0 of the Mixmaster software and version 1.0.5 of 
Reliable. 

2.1 Mixmaster 

Mixmaster 1 is a pool mix. Pool mixes process the messages in batches. They 
collect messages for some time, place them in the pool (memory of the mix), and 
select some of them for flushing in random order when the flushing condition 
is fulfilled. Mixmaster is a timed mix that has a timeout of 15 minutes. During 
this period of time, it collects messages that are placed in the pool of the mix. 
When the timeout expires, the mix takes a number of messages from the pool 

1 Mixmaster version 3.0, as well as Reliable, also optionally supports the older 
“Cypherpunk” remailer message format. For the purposes of this paper, we are 
assuming that the remailers are being operated without this support. As anonymity 
sets for the two protocols generally do not overlap, this does not impact our results. 
The Cypherpunk remailer protocol is known to contain numerous flaws, and should 
not be used if strong anonymity is required [Cot,DDM03]. 
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Fig. 1. Mixmaster in the GMM 



that are forwarded to their next destination, which may be another mix or a 
final recipient. The number s of messages sent in a round (one cycle of the mix) 
is a function of the number n of messages in the pool: 

if (n<45) s=0; 

else if (0.35*n < 45) s=n-45; 
else s=0.65*n; 

Mixmaster is represented in the generalized mix model (GMM) proposed 
by Diaz and Serjantov [DS03b] as shown in Figure 1. In this model, the mix is 
represented at the time of flushing. The function P(n) represents the probability 
that a message is flushed by the mix, as a function of the number n of messages 
in the pool. Note that P{n) = s/n. 



2.2 Reliable 

Reliable is loosely based on the Stop-and-Go ( S-G Mix) mix proposed by Kes- 
dogan et al. in [KEB98]. In S-G mixes (also called continuous mixes), the users 
generate a random delay from an exponential distribution. The mix holds the 
message for the specified delay and then forwards it. The messages are reordered 
by the randomness of the delay distribution. This mix sends messages continu- 
ously: when it has been kept for the delay time it is sent out by the mix. 

Reliable interoperates with Mixmaster on the protocol level by using the 
Mixmaster message format for packet transfer. Reliable uses a variant of the 
S-G mix design 2 . 

2 The theoretical S-G mix design assumes that the delay parameter adapts to the 
traffic load, that is, the users should set the delay parameter according to the amount 
of input traffic the mix is receiving. This feature is not implemented in Reliable, 
which has a static delay parameter. True S-G mixes also implement timestamps in 
order to prevent active attacks (n— 1 attacks in particular). Previous work has argued 
that this method is unlikely to be effective, since the senders be able to determine the 
appropriate delay for each mix in the path [SDS] . True S-G mixes would require a 
service provide such information. Regardless, as the message protocol was originally 
designed with only a pool mix network in mind, these timestamps are not used. 
Reliable thus does not provide any resistance to this kind of active attack. 
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In Reliable, the delay may be chosen by the sender from an exponential 
distribution of mean one hour. If the sender does not provide any delay to the 
mix, then the mix itself picks a delay from a uniform distribution of one and four 
hours. Note that these parameters of the delay distributions are configurable, 
and therefore many remailer operators may set them lower to provide a faster 
service. 

2.3 Dummy Traffic 

A dummy message is a fake message introduced into the mix network to make it 
more difficult for an attacker to deploy attacks that compromise the anonymity 
of a message. The dummy messages are produced by the mixes, and use a chain 
of mix nodes that terminates at a mix instead of a real recipient. 

Dummies are indistinguishable from real messages as they travel in the mix 
network. Since they are introduced to prevent traffic analysis, the dummy policy 
should maximize the number of possible destinations for the messages flushed 
by the mix. Dummy traffic has an impact when analyzing the mix network as a 
whole. We have made measurements that show that the impact of dummies on 
the anonymity provided by a single mix is very small. To make the comparison 
of Mixmaster and Reliable easier, we have not taken into account the dummy 
policies of these two mixes in the results presented in this paper. 

Dummy Policy of Mixmaster. Each time a message is received by Mixmaster, 
cL\ dummies are generated and inserted in the pool of the mix. The number d\ 
of dummies generated follow a geometrical distribution whose parameter has 
the default value of 1/10. In addition, each time Mixmaster flushes messages, it 
generates a number d 2 of dummies that are sent along with the messages. The 
number d 2 of dummies follows a geometrical distribution whose parameter has 
the default value 1/30. 

Dummy Policy of Reliable. Reliable’s default dummy policy consists of the gen- 
eration of 25 dummies every 6 hours. The time these dummies are kept in the mix 
is selected from a uniform distribution whose minimum value is 0 and maximum 
is 6 hours. 

3 Anonymity Metrics 

In this section we introduce the anonymity metrics for mixes and we present 
the attack model that we have considered. Let us first define anonymity in this 
context. Anonymity was defined by Pfitzmann and Kohntopp [PK00] as “the 
state of being not identifiable within a set of subjects, the anonymity set”. 

The use of the information theoretical concept of entropy as a metric for 
anonymity was simultaneously proposed by Serjantov and Danezis in [SD02] 
and by Dfaz et al. in [DSCP02]. The difference between the two models for 
measuring anonymity is that in [DSCP02] the entropy is normalized with respect 
to the number of users. In this paper we will use the non-normalized flavor of 
the metric. 
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The anonymity provided by a mix can be computed for the incoming or for 
the outgoing messages. We call this sender anonymity and recipient anonymity. 

Sender Anonymity. To compute the sender anonymity, we want to know the 
effective size of the anonymity set of senders for a message output by the mix. 
Therefore, we compute the entropy of the probability distribution that relates 
our target outgoing message with all the possible inputs. 

Recipient Anonymity. To compute the effective recipient anonymity set size of an 
incoming message that goes through the mix, we have to compute the entropy 
of the probability distribution that relates the chosen input with all possible 
outputs. 

Note that in these two cases, the metric computes the anonymity of a partic- 
ular input or output message; it does not give a general value for a mix design 
and it is dependent on the traffic pattern. The advantage of this property is that 
mixes may offer information about the current anonymity they are providing. 
The disadvantage is that it becomes very difficult to compare theoretically dif- 
ferent mix designs. Nevertheless, it is possible to measure on real systems (or 
simulations) the anonymity obtained for a large number of messages and provide 
comparative statistics, as we do in this paper. 

To measure Mixmaster’s sender and recipient anonymity, we have applied the 
formulas provided by Diaz and Preneel in [DP04]. The anonymity of Reliable has 
been measured using the formulas presented in Appendix A. Note that we could 
not apply the method used by Kesdogan [KEB98] because we did not make any 
assumption on the distribution of the mix’s incoming traffic (Kesdogan assumes 
incoming Poisson traffic). 

3.1 Attack Model 

The anonymity metric computes the uncertainty about the sender or the re- 
cipient of a message, given that some information is available. In our case, we 
assume that the mix is observed by a passive attacker, who can see the incoming 
and outgoing messages of the mix. The attacker knows all internal parameters of 
the mix so he can effectively compute the anonymity set size for every incoming 
and outgoing message. 

Previous work by Serjantov et al. [SDS] has focused on active attacks on 
several mix designs. We refer to this paper for complementary information on 
the resistance of several mixes to active attackers. 

4 Simulators 

We have implemented Java simulators for Reliable and Mixmaster. We have 
fed the simulated mixes with real input, obtained by logging a timestamp each 
time a message arrived to a working Mixmaster node (note that the information 
we logged does not threaten the anonymity of the users of the mix). We have 
used four months of incoming traffic (July-November 2003) to obtain the results 
presented in Section 5. 
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In order to make a fair comparison, we have set the mean of the exponential 
delay of Reliable (default 1 hour) to be the same as provided by Mixmaster for 
the given four months of input (43 minutes) 3 . We have assumed users choose 
their delays from an exponential distribution. The mix-chosen uniform delay 
option has not been taken into account, due to the infeasibility of implementing 
algorithms that compute the anonymity for such a delay distribution without 
making assumptions on the traffic pattern, as explained in Appendix A. 

The simulators log the delay and the anonymity for every message. Mixes 
are empty at the beginning of the simulation. The first message that is taken 
into account for the results is the one that arrives when the first input has been 
flushed with 99% probability. All messages flushed after the last arrival to the 
mix are also discarded for the results. This is done in order to eliminate the 
transitory initial and final phases. In our simulations, the number of rounds 
discarded in the initial phase is 3, and the number of rounds discarded in the 
final phase is 39. The total number of rounds for our input traffic is 11846. 



5 Results 

In this section we present and analyze the results we have obtained with the 
simulations. 



5.1 Analysis of the Input Traffic 

It is a common assumption in the literature that the arrivals at a mix node 
follow a Poisson process. We have analyzed the input traffic, and found that 
it does not follow a Poisson distribution nor can it be modeled with a single 
time-independent parameter. 

A Poisson process is modeled by a single parameter A representing the ex- 
pected amount of arrivals per (fixed) time interval. If the arrivals to a mix are 
assumed to follow a Poisson process with an average of A arrivals per time in- 
terval At and we denote the number of arrivals in such a time interval by X, 
then X is Poisson distributed with parameter A: X ~ Poiss(A). It is important 
to note that A is time-independent. 

In our statistical analysis we first assumed that the process of arrivals was 
a Poisson process and we estimated the parameter A. The latter was done by 
taking the maximum likelihood estimate given the number of arrivals per time 
interval At = 15 minutes ( N = 11800). We also constructed a 95% confidence 
interval for this estimate. In this way we found A = 19972 with confidence region 
[19891; 20052]. Then we performed a goodness-of-fit test to determine if we can 
reject the hypothesis 

3 We have made some simulations for Reliable with mean 1 hour, and the results 
obtained do not differ significantly from the ones presented in this paper (i.e. , some 
messages do not get any anonymity at all). We do not include these figures here due 
to a lack of space, but they will be added to an extended abstract version of the 
paper. 
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H 0 : the number of arrivals per time interval ~ Poiss(A) , 

where A varies over the constructed confidence interval. The goodness-of-fit test 
we used is the well-known Chi-square test (df=n— 1=11802). Using a significance 
level of 0.01, the null hypothesis gets rejected (Chi-value=826208)! 

In the left part of Figure 2 we show the number of messages received by 
the mix per hour. The right part of Figure 2 shows the evolution of the arrivals 
per day. We can observe that the traffic that arrived at the mix during the first 
month is much heavier than in the following three months. This shows that the 
input traffic pattern that gets to a mix node is highly unpredictable and that 
the assumption of lambda being time-independent cannot hold. 

Figure 3 shows the frequency in hours and in days of receiving a certain 
number of arrivals. We can see that in most of the hours the mix receives less 
than 20 messages. 

5.2 Analysis of Mixmaster 

We have simulated a Mixmaster node as explained in Section 4. Mixmaster is 
a pool mix and processes messages in batches. The recipient anonymity of each 
message in a given round is the same. Equivalently, all outputs of a round have 
the same sender anonymity value. In this section we show the results obtained 
in our simulation. 

In Figure 4 we show the correlation between the recipient anonymity and the 
delay for every message. Figure 4 shows the same for sender anonymity. 

The first conclusion we come to when observing the figures is that there 
is a lower bound to the anonymity of Mixmaster. It is worth noting that, so 
far, we do not know any theoretical analysis of pool mixes able to predict the 
anonymity a pool mix provides, and prior to this analysis there were no figures 
on the anonymity that Mixmaster was actually providing. With this simulation, 
we can clearly see that Mixmaster guarantees a minimum sender and recipient 
anonymity of about 7. This means that the sender (recipient) of a message gets 
a minimum anonymity equivalent to perfect indistinguishability among 2' = 128 
senders (recipients). 

We can see that the minimum anonymity is provided when the traffic (ar- 
rivals) is low. As the traffic increases, anonymity increases, getting maximum val- 
ues of about 10 (i.e., equivalent to perfect indistinguishability among 2 10 = 1024) 
senders or recipients. We also observe that the delays of the messages don’t take 
high values, unless the traffic load getting to the mix is very low. 

In order to study the behavior of the mix under different traffic loads, we 
have plotted values of delay and anonymity obtained in the simulation for the 
rounds with few arrivals (low traffic), intermediate number of arrivals (medium 
traffic), and many arrivals (high traffic). 

We have selected the low, medium, and high traffic taking into account the 
data statistics of the arrival process: 

Low traffic: all rounds where the number of arrivals was between the first and 
third quartile (1 < data < 17); hence 50 percent of the rounds are denoted 
as normal traffic. 
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Fig. 2. Incoming traffic patterns 





Fig. 3. Frequency analysis of inputs 




Fig. 4. Correlation Delay-Anonymity for Mixmaster 



Medium traffic: all rounds where the number of arrivals was greater than the 
third quartile but lower than the outlier bound (17 < data < 41). 
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High traffic: all rounds with outlier values for the incoming messages (data 

> 41). 

In Figure 5 we show the minutes of delay of every message (the x-axis indi- 
cates the evolution in time). We can see that the delay only takes high values 
when the traffic is low. The fact that some messages appear as having a delay 
close to zero in the low traffic figure is due to the fact that we have more sam- 
ples, so there are messages that arrive just before the flushing and are forwarded 
immediately. In Figure 6 we show the recipient anonymity of every message (the 
sender anonymity presents very similar characteristics). We can see that as the 
traffic increases, the anonymity provided takes higher values. No matter how low 
the traffic load is, the anonymity provided by Mixmaster is always above 7. 




Fig. 5. Delay values for Mixmaster 



Fig. 6. Anonymity values for Mixmaster 



5.3 Analysis of Reliable 

The theoretical method proposed in [KEB98] that gives a probabilistic prediction 
on the anonymity provided by Reliable is based on the assumption of Poisson 
traffic. As we have seen, this assumption is definitely not correct for email mix 
traffic. 

We have simulated a Reliable mix as explained in Section 4. Reliable treats 
every message independently: when it receives a message it delays it for a prede- 
termined amount of time (selected from an exponential distribution) and then 
forwards it. We represent a star, per message. 

In Figure 7 we present the sender and recipient anonymity provided by Re- 
liable for the real stream of inputs we have considered. We can see that the 
anonymity takes minimum values close to zero, which means that some of the 
messages can be trivially traced by a passive attacker. The maximum values 
of Reliable’s anonymity for this input are lower than Mixmaster’s maximums. 
Figure 8 shows the highly correlated values of sender and recipient anonymity 
for both Reliable and Mixmaster. We can clearly see that for Reliable some of 
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Fig. 8. Correlation Sender-Recipient Anonymity for Reliable and Mixmaster 



the messages get nearly no anonymity, while the ones of Mixmaster get at least 
sender and recipient anonymity 7. 



5.4 Mixmaster vs. Reliable 

As we have shown in the previous two sections, Mixmaster and Reliable have 
very different behaviors for the same traffic stream. Note that we have modified 
the default (1 hour) mean delay of Reliable, so that the average delay is the 
same as Mixmaster for comparison purposes. 

Mixmaster priorizes the anonymity over the delay, and it provides a minimum 
recipient (sender) anonymity of around 7, equivalent to perfect indistinguisha- 
bility among 2 7 = 128 input (output) messages. When the traffic load decreases, 
Mixmaster provides a larger latency to keep the anonymity at high levels. 

Reliable delays messages according to an exponential distribution, regardless 
of the traffic load. This has an effect on the anonymity, in that it will only have 
high values when there is a high traffic load. When the traffic load decreases, 
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the anonymity provided by Reliable drops to very low values. In some cases of 
very low load, Reliable does not provide anonymity at all. 

Our conclusion is that a continuous mix like Reliable is not appropriate to 
provide anonymous services for applications that do not have real-time require- 
ments (like email). A pool mix like Mixmaster should be used instead. 

Continuous mixes like Reliable may be useful for real-time applications with 
tight delay constraints (like web browsing). Nevertheless, in order to provide 
acceptable levels of anonymity, the traffic load should be kept high. 

6 Other Factors That Influence Anonymity 

We have evaluated the anonymity strength of the mixing algorithms imple- 
mented in Mixmaster and Reliable. Additional factors have a direct impact on 
the anonymity provided by the system. Concerns such as the security of the 
underlying operating system, host server integrity, proper implementation of 
the cryptographic functions provided by the remailer software, and likelihood of 
administration mistakes all contribute to the overall anonymity these software 
packages can provide. We assume that no active attacks against the software 
occurred during the development or compilation process, though additional con- 
cerns are present in that area [Tho84]. 

This paper does not aim to be an in-depth analysis of the full spectrum of 
host-attacks against remailer nodes. Nevertheless, it is important to mention 
some significant differences between Reliable and Mixmaster that may affect 
their ability to provide adequate anonymity for their users. 

6.1 Host Server Integrity 

The security of an operating mix is dependent on the security of the underlying 
host server. Many factors can impact the underlying system’s security. Some 
considerations include shared access to the system by untrusted users, access to 
key material on disk or in memory, and the ability to insert shims to intercept 
dynamically loaded libraries called by the remailer software [Tha03] . 

Reliable is limited to operation on the Windows platform. Mixmaster is 
portable, and has been known to run on a wide variety of operating systems 4 . 
Host server security is ultimately the responsibility of the remailer operator. 

6.2 UI Issues 

In a privacy application client, an intuitive user interface is essential in order to 
ensure that the software is used consistently and correctly [Sas02]. A greater level 
of skill can safely be assumed when designing privacy software that is intended 
to be operated as a service, however. Most anonymity systems, including mix 

4 There have been instances of remailers based on the Mixmaster 3.0 codebase operat- 
ing on SunOS, Solaris, SunOS, AIX, Irix, BeOS, MacOS X, Windows NT (natively 
and through the use of Cygwin), Windows 2000 (natively and through the use of 
Cygwin), Windows XP (through the use of Cygwin), FreeBSD, NetBSD, OpenBSD, 
and multiple versions of Linux. 
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implementations, do imply a significant degree of complexity. Since the operation 
of a public Internet service involves the correct configuration and maintenance of 
the host server, this necessary complexity is acceptable as long as the operator’s 
skill level is sufficient. The level of skill required to properly install, configure, 
and operate a mix node should not exceed that required to properly install, 
configure, and operate the server itself. 

The software packages we evaluated differed with regard to their interface 
complexity in a number of areas. 

In general, Reliable has a greater “ease of use” factor with respect to its 
interface. Mixmaster automates many important tasks, such as adaptive dummy 
generation, key rotation and key expiration announcement, and integrates more 
easily with the host MTA 5 . Reliable’s installation process is easier, but its build 
process requires the use of third-party commercial applications and assumes 
experience with Windows development, so most users will install a pre-compiled 
binary. Compilation of Mixmaster is performed through a simple shell script. 

At first glance, it appears that Reliable will be easier for hobbyists to op- 
erate than Mixmaster. However, Mixmaster’s difficulty does not rise above the 
difficulty of maintaining a secure Internet-connected server, and thus has little 
effect on the overall security of a mix node deployment. 

6.3 Programming Language 

While the most critical factor in the creation of secure code is the manner in 
which it is written, some languages lend themselves to greater risk of exploitable 
mistakes. An inexperienced or unskilled programmer will always be in danger 
of making an application insecure. The choice of programming language merely 
sets the bar for the required level of experience and ability necessary to develop 
applications in that language safely. Thus, when evaluating the likelihood of the 
existence of exploitable code in an application, it is worthwhile to consider the 
programming language used to create that application. Mixmaster is written in 
C, while Reliable is written in Visual Basic. Since neither Mixmaster nor Reliable 
was written by seasoned software developers, we assume a level of experience that 
would allow for simplistic security mistakes 6 . 

6.4 Source Code Documentation 

To facilitate source code review and verification of an application’s correctness 
with regard to its implementation of a protocol, it is beneficial for there to 

5 Mail Transport Agent, e.g. sendmail or postfix 

6 The bulk of the code for Mixmaster 3.0 was written by Ulf Moller as his first major 
software development project while completing his undergraduate computer science 
degree [M02]. He has since gained respect as a skilled cryptographic software devel- 
oper for his open source and proprietary development projects. Reliable was authored 
under a pseudonym, and we can only speculate about the level of experience of its 
author. (There has been no known communication with the author of Reliable since 
February, 2000). 




Comparison Between Two Practical Mix Designs 



153 



be both good commenting in the source code and a clear specification for its 
behavior. 

While neither program is sufficiently commented or written clearly enough 
to allow a reviewer to easily learn how either system works by reading the source 
code alone, there exists a complete specification of the Mixmaster node behav- 
ior [MCPS03]. No such specification or description exists for Reliable. 

6.5 Included Libraries 

In addition to the standard POSIX libraries provided by the compilation OS, 
Mixmaster 3.0 (the version of Mixmaster evaluated in this paper) requires that 
the zlib [DG96] and OpenSSL [CEHL] libraries be included. Optionally, Mix- 
master also links against pcre [Haz] and ncurses [BHRPD] . 

Reliable requires many native Windows system calls as well as the third-party 
application, Mixmaster 2.0.4 7 . 

6.6 Cryptographic Functions 

Both Mixmaster and Reliable avoid direct implementation of cryptographic al- 
gorithms when possible. Mixmaster 3.0 relies strictly on OpenSSL for these cryp- 
tographic functions. Any attackable flaws in the cryptographic library used to 
build Mixmaster that affect the security of the algorithms 8 used by Mixmaster 
may be an attack against Mixmaster as well. 

Reliable abstracts the cryptographic operations one step further. To support 
the Mixmaster message format, Reliable acts as a wrapper around the DOS 
version of Mixmaster 2.0.4. Thus, any attack against the Mixmaster message 
format due to implementation flaws in Mixmaster 2.0.x will work against Reliable 
as well. Mixmaster 2.0.4 relies on the cryptographic library OpenSSL or its 
predecessor SSLeay for the MD5, EDE-3DES, and RSA routines 9 . 

6.7 Entropy Sources 

The quality of the entropy source plays an extremely important role in both the 
pool mix and S-G mix schemes. In pool mix systems, the mixing in the pool must 
be cryptographically random in order to mix the traffic in a non-deterministic 

7 Mixmaster 2.0.x has an entirely different codebase than that of Mixmaster 3.0. While 
Reliable relies on the Mixmaster 2.0.4 binary for some of its functionality, Reliable 
is an independent application in its own right, and should not be considered a mere 
extension to the Mixmaster codebase. 

8 It is understood that flaws in the cryptographic algorithms will affect the security 
of software that relies upon those algorithms. However, since most attacks on cryp- 
tographic applications are due to flaws in the implementation, care must be taken 
when evaluating the shared cryptographic libraries. 

9 Prior to the expiration of the RSA patent, versions of Mixmaster 2.0.x offered sup- 
port for the RSAREF and BSAFE libraries as well. Use of these versions of Mix- 
master is largely abandoned. 
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way. The timestamps that determine how long a message should be held by an 
S-G mix implementation must also be from a strong entropy source for the same 
reasons. In addition, the Mixmaster message format specifies the use of random 
data for its message and header padding. 

Software is dependent on its underlying operating system for a good source of 
entropy. Cryptographic quality entropy is a scarce resource on most systems 10 , 
and therefore the entropy sources provided by most modern operating systems 
actually provide PRNG output which has been seeded with truly-random data. 

Mixmaster uses OpenSSL’s rand_ functions 11 . Reliable uses the standard 
Windows system call, Rnd(), when obtaining entropy, with the exception of 
message and header padding (which is done by the supporting Mixmaster 2.0.4 
binary). The Rnd() function is not a cryptographically strong source of en- 
tropy [Cor], R.ndQ starts with a seed value and generates numbers which fall 
within a limited range. Previous work has demonstrated that systems that use a 
known seed to a deterministic PRNG are trivially attackable [GW96]. While its 
use of RndQ to determine the latency for a message injected into the mix is the 
most devastating, Reliable uses Rnd() for many other critical purposes as well. 

6.8 Network Timing Attacks 

By analyzing the input and output traffic of a mix, a skilled attacker may be 
able to deduce the value of pool variables by timing observation. This affects 
pool mixes more than S-G mixes, and possibly aids an attacker in some non- 
lrost based active attacks such as (n — 1) attacks. The anonymity strength of a 
remailer should not require pool values to be hidden, and countermeasures to 
this class of active attacks should be taken [DS03a]. 

7 Conclusions and Future Work 

In this paper we have analyzed the traffic pattern of a real traffic stream going 
through a working mix node and found that the traffic is not Poisson, as it is 
commonly assumed in the literature. The traffic pattern is highly unpredictable. 
Therefore, no assumptions on the traffic should be made when designing a mix. 

We measure the anonymity of the pool mix scheme used in Mixmaster by 
applying a metric previously proposed in the literature. We provide our own 
metric for evaluating the anonymity of the S-G mix variant used in Reliable 
that does not assume a Poisson traffic pattern. 

Our comparison of the two predominant mixing applications shows that Mix- 
master provides superior anonymity, and is better suited for the anonymization of 
email messages than Reliable. Mixmaster provides a minimum level of anonymity 
at all times; Reliable does not. Reliable’s anonymity drops to nearly zero if the 

10 Systems that employ the use of noisy diodes or other plentiful sources of entropy 
have less of a concern for entropy pool exhaustion. 

11 OpenSSL relies on its internal PRNG seeded with various system sources to provide 
cryptographically strong entropy. 
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traffic is very low. In high-traffic situations, Mixmaster provides a higher maxi- 
mum anonymity than Reliable for the same stream of input: 10.5 of Mixmaster 
versus 10 of Reliable. We have shown that Mixmaster provides higher average 
anonymity than Reliable for the same input and same average delay. Due to 
its nature as a pool mix, Mixmaster provides higher delays than Reliable in 
low traffic conditions. Comparatively, due to the nature of S-G mixes, Reliable’s 
delay is not dependent on the traffic. 

In addition, we have identified a number of key points of attack and weakness 
in mix software to which anonymity software designers need to pay particular 
attention. In addition to the areas of theoretical weakness that we have identified, 
we discovered a fatal flaw in the use of randomness in Reliable, which diminishes 
its ability to provide anonymity, independent of our findings with regard to the 
S-G mix protocol. 

We can conclude from our analysis of the mixing algorithms used by these 
mix implementations that S-G mix variants such as the one used in Reliable are 
not suitable for use with systems that may have occurrences of low traffic on the 
network. While such S-G mixes may be an appropriate solution for systems with 
a steady input rate, they are not suited for systems with variable input traffic. 
Pool mixes such as Mixmaster should be preferred for systems with fluctuating 
traffic loads and relaxed latency contraints. 
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A Method to Compute the Anonymity of Reliable 

To formalize the behavior of the mixes, we define: 

— X s : an incoming message arriving at time s; 

— Y t : an outgoing message leaving at time t: 

— D : the amount of time a message has been delayed. 

We know that the mixes delay the messages exponentially and we have set the 
mean to 1 hour: D ~ exp(l): 

pdf : f(d ) = e~ d for all d > 0 ; 

= 0 elsewhere ; 

cdf : F(d) = P{D < d) = 1 — e~ d for all d > 0 ; 

= 0 elsewhere . 

All delay times are independent. 

Crucial to note in this setup is that the sequence of outgoing messages is 
not a Poisson process. This would only be true if all inputs would arrive at the 
same time, hence belong to the mix when the delaying starts or if the sequence 
of arrivals are a Poisson process. But in our case, messages arrive at distinct 
moments in time, each being exponentially delayed upon their arrival times. 

Mixes flush at fixed time moments which are observed by the attacker: 
t, G {outi, out 2 , . . . , out m } • 



He also observes the arrival times: 

s G {ini, in 2 , . . . , injv}. 

If a message leaves the mix at time t, what are then the probabilities for the 
arrival times? Suppose the departure time t =out is fixed. We then look for the 
probability that the message that left at time out is the same message as the 
one that entered the mix at time s: 

P(Y out = X a ) = P(D = out - s) . 

We can hence rephrase the problem in terms of the delay: which values for 
the delay times are the most probable? Clearly, negative delay is impossible 
so only arrival times prior to out are probable. These arrival times form a set 
{ini, in 2 , . . . , in/ c } with in*, < out. The matching delay times are then { out - 
ini, out- in 2) . . . , out-ink } to which we will refer to as {d±, d 2 , . . . , dk}- Note that 
d\ > d 2 > . . . > dk- We are almost at the solution as the density function of 
the delay times is known! Caution has to be taken however as the exponential 
function is a continuous function which means that the probability of the delay 
taking a single value is zero: P(D = d±) = ... = P(D = dk) = 0! 
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Fig. 9. An example of an exponential probability density function 




delay (ir hours) 



Fig. 10. The matching exponential cumulative density function 



How can we then calculate the probabilities of the delay times? To make this 
clear, let us look at Figure 9 and suppose that we only have three arrival times 
prior to out. We have thus three possible delays d\ > d 2 > cfe . Let us now assume 
for simplicity reasons that d\ = 3 hours, d 2 = 2 hours and d% = 1 hour. The 
variable delay is continuous and can theoretically take every value in the interval 
[0,3]. However, we know that we only flush at three particular times and that 
hence only three particular delays can occur. We can exploit this knowledge in 
the following way: 

P(D = di) « P{d 2 < D < d\) — light surface ; 

P(D = d 2 ) ~ P{d 3 < D < d 2 ) = medium surface ; 

P(D = ds) ~ P(0 < D < d%) = dark surface . 

In this way one can clearly see that the biggest surface corresponds to the most 
probable delay! This is straightforward for more than three delays. For computa- 
tion we make use of the cumulative distribution function (cdf) which is graphed 
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in Figure 10. Cumulative probabilities are listed in tables and known in statis- 
tical software. For reasons of simplicity we put the mean of the exponential to 
be 1 hour (easy parameterization): 

P{D = (h) « F{di) - F{d 2 ) = 0.9502 - 0.8647 = 0.0855 ; 

P{D = d 2 ) « F{d 2 ) - F{di) = 0.8647 - 0.6321 = 0.2326 ; 

P{D = d 3 ) « F(d 3 ) = 0.6321 . 

In our little example, the message corresponds most likely with the one that 
entered the mix 1 hour before out. You can also clearly see this on Figure 9. 
In practical applications however, many possible delays will occur so that visual 
inspections will not be efficient and calculations have to made and compared. 

A.l Uniform Delays 

Reliable allows for mix-chosen uniform delays if the users do not specify any 
delay for their messages. 

We have found a method to compute the anonymity provided by a mix 
that delays inputs uniformly from a distribution U[a, b]. The method consists in 
creating a tables with all inputs and outputs. Then we search for all possible 
combinations input-output that are possible from an external observer’s point of 
view (i.e., those that assign to every input that arrives at time T an output that 
leaves between T + a and T + b). Let us call the total number of combinations 
C. 

Then, to compute the recipient (sender) anonymity of message m.;, we need to 
find the distribution of probabilities that link this input (output) to all outputs 
(inputs) . 

If input irii appears matching output Sj in P combinations, then the proba- 
bility assigned to Sj is P/C. 

The probability of an input of matching an output is computed as possible 
cases divided by total cases. From this distribution, the sender and recipient 
anonymity can be computed for every message. 

Unfortunately, due to the large amount of messages considered, the imple- 
mentation of this algorithm in our case is not feasible. 
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Abstract. Database outsourcing is a popular industry trend which in- 
volves organizations delegating their data management needs to an ex- 
ternal service provider. Since a service provider is almost never fully 
trusted, security and privacy of outsourced data are important concerns. 
This paper focuses on integrity and authenticity issues in outsourced 
databases. Whenever someone queries a hosted database, the returned 
results must be demonstrably authentic: the querier needs to establish 
- in an efficient manner - that both integrity and authenticity (with 
respect to the actual data owner) are assured. To this end, some recent 
work [19] examined two relevant signature schemes: a condensed variant 
of batch RSA [3] and an aggregated signature scheme based on bilinear 
maps [6] 

In this paper, we introduce the notion of immutability for aggregated 
signature schemes. Immutability refers to the difficulty of computing new 
valid aggregated signatures from a set of other aggregated signatures. 
This is an important feature, particularly for outsourced databases, since 
lack thereof enables a frequent querier to eventually amass enough ag- 
gregated signatures to answer other (un-posed) queries, thus becoming 
a de facto service provider. Since prior work does not offer immutability, 
we propose several practical techniques to achieve it. 



1 Introduction 

Database outsourcing is a prominent example of the more general commercial 
trend of outsourcing non-core competencies. In the Outsourced Database (ODB) 
Model, a third-party database service provider offers adequate software, hard- 
ware and network resources to host its clients’ databases as well as mechanisms 
to efficiently create, update and access outsourced data. 

The ODB model poses numerous research challenges which influence overall 
performance, usability and scalability. One of the biggest challenges is the se- 
curity of hosted data. A client stores its data (which is usually a critical asset) 
at an external, and only partially trusted, database service provider. It thus be- 
comes important to secure outsourced data from potential attacks not only by 
malicious outsiders but also from the service provider itself. 



P. Samarati et al. (Eds.): ESORICS 2004, LNCS 3193, pp. 160—176, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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The two pillars of data security are privacy and integrity. (We use the term 
integrity in a somewhat broad sense, encompassing both data integrity and au- 
thentication of origin .) The need for data privacy in the ODB model has been 
recognized and addressed, to some degree, in prior work by Hacigumu§, et al. 
[14]. The central problem in the context of privacy is allowing a client to effi- 
ciently query its own data hosted by a third-party service provider (referred to 
as simply “server” from here on) while revealing to the latter neither the actual 
query nor the data over which the query is executed. 

Other relevant prior work [10] [15] examined integrity issues in outsourced 
databases and suggested some limited solutions 1 . Recently, more general tech- 
niques were investigated in [19] where two signature schemes were proposed for 
efficient integrity and authenticity support in querying outsourced databases. 
One scheme is a simple variant of batch RSA and the other - the aggregated sig- 
nature scheme based on bilinear maps [6] . Each scheme enables bandwidth- and 
computation-efficient integrity verification for any possible query reply. However, 
as shown below in more detail, the schemes in [19] (as well as those in [10]) are 
mutable, i.e., auy entity in possession of multiple authentic query replies can 
derive other, equally authentic query replies. 

We view mutability not as a flaw of the underlying signature schemes but 
rather as an issue with their specific application in the ODB model. In this 
paper, we focus ou providing a feature that we term immutability for aggregated 
signature schemes. 

Contributions: This work makes two contributions. First, it informally defines 
the notion of immutability for aggregated signatures which is, at some level, 
equivalent to adaptive attack resistance for aggregated signature schemes. Sec- 
ond, it demonstrates some simple add-on techniques for schemes considered in 
[19]. These techniques provide, at a little additional cost (as illustrated in Section 
6), immutability for the respective signature schemes. 

Organization: In section 2, we describe the ODB model in more detail. Section 3 
motivates the need for immutable aggregated signature schemes. Next, section 4 
describes the variant of RSA that allows aggregation of signatures by a single 
signer and the aggregated signature scheme by Bonelr et al. [6] which allows 
aggregation of signatures by multiple signers. Section 5 then presents some tech- 
niques to achieve immutability for these two schemes. Section 6 discusses the 
overhead associated with the proposed techniques, followed by section 7 which 
overviews relevant prior work. The paper concludes with the summary of our 
results in section 8. 

2 System Model 

The ODB model is an example of the well-known Client-Server paradigm. In 
ODB, a Database Service Provider (which we refer to as a server) has the in- 

1 See section 7 for the discussion of this and other related work. 
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frastructure to host outsourced databases and provides efficient mechanisms for 
remote clients to create, store, update and query their databases. 

Clients are assumed to trust the server to faithfully maintain outsourced data. 
Specifically, the server is relied upon for replication, backup and availability of 
outsourced databases. However, the server is not assumed to be trusted with the 
integrity of the actual database contents. This lack of trust is crucial as it brings 
up new security issues and serves as the chief motivation for our work. Specifi- 
cally, we want to prevent the server from making unauthorized modifications to 
the data stored in the database. 

Depending on the types of clients involved, we distinguish among three flavors 
of the ODB model: 

1. Unified Client: a database is owned by a single client which is also the 
only entity querying the same database. This is the simplest ODB scenario 
with relatively few security challenges (in terms of integrity) . 

2. Multi-querier: a database is owned by a single client but multiple queriers 
are allowed to query the hosted database. This scenario is very similar to 
authentic third-party publication [10]. 

3. Multi-owner: a database is jointly owned by multiple clients and multiple 
queriers are allowed to query the hosted database. This scenario is typical 
in many organizational settings where multiple users/entities are allowed to 
own a subset of records within the same database. (Consider, for example, a 
sales database where each salesperson owns all records for the transactions 
that she performed.) 

Since the integrity issues in the Unified Client scenario are few and easily handled 
with standard textbook techniques, in the remainder of this paper, we focus on 
the Multi-Querier and Multi-Owner scenarios. 

We assume that a querier may be a device (or an entity) limited in all or some 
of: computation, communication and storage facilities. A cellphone, a wireless 
PDA or a computer communicating over a slow dial-up line are all examples of 
such anemic queriers. Limited amount of battery power may be an additional, 
yet orthogonal, issue. 

All of these constraints incentivize new techniques that optimize (i.e., mini- 
mize) both communication and computation overhead for the queriers in the 
ODB model. To this end, the recent work in [19] considered two signature 
schemes: Condensed-RSA and Aggregated-BGLS both of which allow the 
server to return to the querier a set of records 2 matching the query predi- 
cate along with a single aggregated signature. Condensed-RSA is very efficient 
but only permits aggregation of signatures produced by a single signer. In con- 
trast, Aggregated-BGLS is less efficient but supports aggregation of signatures 
produced by multiple signers. Hence, Condensed-RSA is more suitable for the 
Multi-Querier, and Aggregated-BGLS - for the Multi-Owner, scenario. 

2 In our setting, the client’s database is a typical relational database (RDBMS) where 
data is organized in tables (or relations). Each table has multiple rows and columns. 
A column represents an attribute of the table and a row (or a record) is an instance 
of the table. 
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3 Motivation 

Although both techniques explored in [19] are fairly practical, each exhibits a 
potentially undesirable mutability feature. Mutability means that anyone in pos- 
session of multiple aggregated signatures can derive new and valid (authentic) 
aggregated signatures which may correspond to un-posed queries. For exam- 
ple, consider a database with two relations employee and department with the 
following respective schemas: employ ee(empID, name, salary, deptID) and de- 
partment^ dept.ID , managerlD). We now suppose that two SQL queries are posed, 
as shown in Figure 1. The first (Ql) asks for names and salaries of all managers 
with salary > 100/v and the second (Q2) asks for the same information for all 
managers with salary > 140 K. 



Ql. SELECT e.name, e. salary 

FROM employee e, department d 

WHERE e.empID = d. managerlD AND e. salary > 100000 

Q2. SELECT e.name, e. salary 

FROM employee e, department d 

WHERE e.empID = d. managerlD AND e. salary > 140000 

Q3. SELECT e.name, e. salary 

FROM employee e, department d 
WHERE e.empID = d. managerlD AND 

e.salary BETWEEN 100000 AND UOOOO 

Fig. 1. SQL Queries 



A querier who previously posed queries Ql and Q2 and obtained correspond- 
ing replies along with their aggregated signatures SI and S2, can compute, on 
her own, a valid new signature for the un-posed query Q3, as shown in Figure 
1. In essence, the reply to Q3 is (Ql — Q 2), i.e., information about all managers 
who earn between 100K and 140K. The specifics of computing a new signature 
from a set of existing signatures depend on the underlying aggregated signature 
scheme, as described in the next section. 

We note that the above example is not specific to the use of aggregated signa- 
ture schemes for integrity purposes in the ODB context. If, instead of aggregated 
signatures, plain record-level signatures were used (e.g., DSA or RSA), a single 
SELECT-style query would cause the server to compose a query reply containing 
a set of records matching the query predicate, each accompanied by its signa- 
ture. The querier can then easily construct legitimate and authentic query replies 
for un-posed queries, since she is free to manipulate individual record-level sig- 
natures. Furthermore, other methods, such as the constructs based on Merkle 
Hash Trees (MHTs) suggested by Devanbu, et al. [10], are equally susceptible to 
mutability of authentic query replies. (In [10], a querier obtains a set of records 
matching a posed query along with a set of of non-leaf nodes of an MHT. The 
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exact composition of this set depends on the type of a query.) We now consider 
a few concrete scenarios where mutability is undesirable. 

Paid Database Services: Mutability is undesirable when the data owner wants to 
offer paid database services in association with the server. (This clearly applies 
only to the Multi-Querier and Multi-Owner ODB scenarios.) In essence, a server 
can be viewed as an authorized re-distribution agent for the information con- 
tained in, or derived from, the outsourced database. Consequently, one reason 
for avoiding mutability is to prevent unauthorized splitting and re-distribution 
of authentic query replies. For example, consider the case of data owner and/or 
server who wish to charge a fee for each query over the outsourced database. 
Consequently, it might be important to prevent queriers from deriving new valid 
aggregated signatures from prior query reply sets and re-selling information that 
has not been paid for. 

To make the example more specific, consider an on-line authorized music 
distributor with a large database of songs, each digitally signed by the artist. 
Suppose that the distributor only wishes to sell complete albums (compilations) 
and not individual songs. The distributor (server) can then simply aggregate the 
signatures of individual tracks to provide its clients a unified proof of authenticity 
and integrity for the entire album. In this case, signature aggregation gives the 
distributor the means to mix and match the songs to make various compilations. 

One concern that would arise in this scenario (due to the mutability of the 
underlying aggregated signature scheme) is that clients could potentially start 
their own music distribution services with the goal of reselling individual songs 
at higher cost per song than that of the original distributor (who only sells 
complete albums). 

Content Access Control: Consider the ODB scenario where the owner wants the 
server to enforce a certain content access control mechanism: for each client (or a 
group of clients) access is restricted to a specific subset of the database. A client 
who poses a query only gets back the data that she is entitled to see based on her 
specific privileges. If the database is a collection of individually signed records, 
the server can aggregate individual record signatures to construct a single proof 
of authenticity and integrity for the entire query reply. 

Two colluding clients (each with different access control privileges) can share 
their respective query replies. If the aggregated signature scheme is mutable, the 
two clients, by further aggregating the two query replies into a single quantity, 
can convince others that they have more privileges than they really have. In 
other words, a client can combine two aggregated signatures to produce a new 
and authentic aggregated signature that can act as proof that she has higher 
access privileges. This can have undesirable implications. 

4 Aggregated Signature Schemes 

In this section, we take a closer look at the two signature schemes considered in 
[19] and illustrate their respective mutability properties. 
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4.1 Condensed-RSA 

The RSA [20] signature scheme is multiplicatively homomorphic which makes it 
suitable for combining multiple signatures generated by a single signer into one 
condensed signature 3 . A valid condensed signature assures its verifier that each 
individual signature contained in the condensed signature is valid, i.e. , generated 
by the purported signer. Aggregation of single-signer RSA signatures can be 
performed incrementally by anyone in possession of individual RSA signatures. 
By incrementally, we mean that the signatures can be combined in any order 
and the aggregation need not be carried out in a single operation. 

RSA Signature Scheme: We first describe the setup of the standard RSA signa- 
ture scheme. A party has a public key pk = (n, e) and a secret key sk = (n, d), 
where n is a fc-bit modulus formed as a product of two fc/2-bit primes p and 
q. Both public and private exponents e,d £ Z* and satisfy ed = 1 mod 
where </>(n) = (jp — l)(q — 1). The minimum currently recommended k is 1024. 
The security of the RSA cryptosystem is based on the conjectured intractability 
of the large integer factorization problem. 

In practice, an RSA signature is computed on the hash of an input message. 
Let h() denote a cryptographically strong hash function (such as, SHA-1) which 
takes a variable length input m and produces a fixed-length output denoted as 
h(m). A standard RSA signature on message m is computed as: a = h(m) d 
(mod n). Verifying a signature involves checking that a e = h(m) mod n. Both 
signature generation and verification involve computing one modular exponen- 
tiation. 

Condensed-RSA Signature Scheme: Given t different messages {toi,...,TO(} 

and their corresponding signatures {ui, at} generated by the same signer, 
a Condensed-RSA signature is computed as the product of all t individual sig- 
natures: 

t 

01,4 = U <Jj (mod n) 

The resulting aggregated (or condensed) signature <ri >t is of the same size as a 
single standard RSA signature. Verifying an aggregated signature requires the 
verifier to multiply the hashes of all t messages and checking that: 

t 

(o'! ,t) e = h(mi) (mod n) 

i= 1 

Security of Condensed-RSA: [19] describes the security of Condensed-RSA by 
demonstrating that it is at least as secure as Batch verification of RSA [3]. 
Batch verification of RSA signatures was shown to be secure (in [3]) under the 
assumption that RSA is a collection of one-way functions. The proof assumes 

3 We use the term condensed in the context of a single signer and aggregated in the 
context of multiple signers. Clearly, the former is a special case of the latter. 
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that the individual RSA signatures are generated using a full-domain hash func- 
tion (FDH) in place of a standard hash function (such as SHA-1), as described in 
[5] . An FDH is a hash function which takes arbitrary length input and produces 
an output that is an element of Z*, i.e., Hfdh '■ {0, 1}* — > Z* 

Mutability of Condensed RSA: Given two condensed signatures: on messages 

{mi, T?ij} and a ij on messages {mi, rrij} where j < i, it is possible to 
obtain a new condensed signature Oj+i,i on messages {mj+i, . . . , m j } by simply 
dividing cri^ by aij (modulo n). 

(o-j+l,i) = (cr i , i ) / (cr i j) (mod n) 

Similarly, given two condensed signatures on messages {mi, ..., ?n,} and 
<Ji+i,j on messages {m l+ i , rrij}, anyone can obtain a new condensed signature 
crij on messages {mi, ...,TOj,TOj+i, rrij} (assuming all messages are distinct) 
by multiplying o\ y and cr i+l j -: 

(cti j) = (cr lti ) X ( cr i+1 j ) (mod n) 



4.2 BGLS 

Boneh, et al. in [6] construct an interesting signature scheme that allows in- 
cremental aggregation of signatures generated by multiple signers on different 
messages into one short signature based on elliptic curves and bilinear maps. 
This scheme (BGLS) operates in a Gap Diffie-Hellirian group (GDH) - a group 
where the Decisional Diffie-Hellman problem (DDH) is easy while the Computa- 
tional Diffie-Hellman problem (CDH) is hard. The first instance of such a group 
was illustrated in [17]. Before describing BGLS, we briefly overview the necessary 
parameters: 

— G± is a cyclic additive group with generator g\ 

— G 2 is a cyclic multiplicative group 

— e is a computable bilinear map e : Gi x G\ — + G 2 as described below 

A bilinear map e : G\ x G\ — > G 2 , where G'i| = |G r 2 1, satisfies the following two 
properties. 

1. Bilinearity: VP, Q € G\ and a, b £ Z, e(aP, bQ) = e(P, Q) ab 

2. Non-degenerativity: e(gi,gi) ^ 1 

These two properties imply that, for any Pi, P 2 , Q € Gi, e(Pi + P 2 , Q) = 
e(Pi,Q) • e(P 2 , Q); and, for any P, Q G Gi, e(^(P), Q) = e(ip(Q), P). 

BGLS Signature Scheme: BGLS requires the use of a full-domain hash function 
h() : {0,1}* — » Gi that maps binary strings to non-zero points in Gi. Key 
generation involves picking a random x £ Z p , and computing v = xg\. The 
public key is v £ Gi and the secret key is x £ Z p . Signing a message m involves 
computing H = h(m), where H £ G\ and a = xH. The signature is cr. To verify 
a signature one needs to compute H = h(m) and check that e(a,g 1 ) = e(H,v). 
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BGLS Aggregated Signature Scheme: To aggregate t BGLS signatures, one com- 
putes the point-addition operation (on the elliptic curve) of the individual sig- 
natures as follows: cr-|. t = 1 a ii where <r,; corresponds to the signature of 

message m, . The aggregated signature opt is of the same size as a single BGLS 
signature, i.e., \p\ bits. Similar to Condensed-RSA, the aggregation of signatures 
can be performed incrementally and by anyone. 

Verification of an aggregate BGLS signature cryt involves computing the 
point-addition of all hashes and verifying that: 

t 

e(CTi, t ,ffi) = \\_e{Hi,Vi) 

Due to the properties of the bilinear maps, we can expand the left hand side of 
the equation as follows: 

t t t t 

= e(^2xiHi,g i) = g ± ) Xi = JT e (- H », ^*Pi) = \\_ e {Hi, v i) 

i= 1 i= 1 i— 1 i= 1 

Mutability of Aggregated BGLS: Similar to Condensed-RSA, aggregated BGLS 
signatures can be manipulated to obtain new and valid signatures that corre- 
spond to un-posed query replies. Specifically, it is possible to either (or both) 
add and subtract available aggregated signatures to obtain new ones. 

For example, given 2 aggregated BGLS signatures crp, on messages {mi, 
. . . , m j } and <7i+\,j on messages {m,j+i, ..., wij}, if the messages {mi, ...,m,;} and 
{mj-|-i, ...,TOj} are all distinct (i.e., the two queries do not overlap), the verifier 
can obtain a new BGLS signature aij on messages {mi, ...,m,j,TOj+i, ...mj} by 
adding ui^ and crj+ij. 



= (oh,*) + (oi+iy) (mod p) 



5 Immutable Signature Schemes 

In this section, we propose extensions that strengthen previously described sig- 
nature schemes and make them immutable. 



5.1 Immutable Condensed RSA (IC-RSA) 

To make condensed-RSA signatures immutable, we use the technique that can 
be broadly classified as a zero-knowledge proof of knowledge of signatures. The 
server, instead of revealing the actual aggregated signature for a posed query, re- 
veals only the proof of knowledge of that signature. We present two variants: one 
that requires interaction, based on the well-known Guillou-Quisquater scheme, 
and the other that is non-interactive, based on so-called “signatures of knowl- 
edge” . 
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Interactive Variant. This technique uses the well-known Guillou-Quisquater 
(GQ) identification scheme [13] which is among the most efficient follow-ons to 
the original Fiat-Shamir zero-knowledge identification Scheme [2]. The version 
we present is an interactive protocol between the server (Prover) and the querier 
(Verifier) that provides the latter with a zero-knowledge proof that the Prover 
has a valid Condensed-RSA signature corresponding to the records in the query 
result set. 

Basically, the server returns to the querier the result set along with a witness. 
The querier then sends a random challenge to which the server replies with a 
valid response. The response together with the witness convince the querier 
of server’s knowledge of the Condensed-RSA signature, without revealing any 
knowledge about the Condensed-RSA signature itself. The actual protocol is 
shown in Figure 2. We use the terms Prover (P) and Verifier (V) instead of Server 
and Querier, respectively, since the protocol is not specific to the ODB setting 4 . 
Let X = <7i it = TIL a i (mod n) be the condensed-RSA signature computed as 
shown above. Recall that (e, n) is the public key of the original data-owner which 
all concerned parties are assumed to possess. Let M = J~[- =1 (mod n) and 

X e = (opt)® = M (mod n). 

In step 0, the querier poses a query (not shown in figure 2). In step 1, the 
server (prover) replies with the result set for that query as well as a commitment 
Y. Note that Y = r e (mod n ) where r is a randomly chosen element in Z* and 
n is the RSA modulus of the data owner who generated the individual RSA 
signatures corresponding to the records in the result set 5 and e, the correspond- 
ing public exponent. In step 2, the verifier (querier) sends back a challenge v 
that is chosen randomly from {0, l}d fc ) where l(k) is the bit-length of the public 
exponent e. In Step 3, server, upon receiving the challenge v, computes the re- 
sponse 2 = rX v (mod n) where X is the Condensed-RSA signature of the result 
set. In Step 4, the verifier accepts the proof if z yf 0 and z e = YM V (mod n) 
where M is the product of (hashes of) all messages in the result set. Checking 
z yf 0 precludes a malicious server from succeeding by choosing r = 0. Note that 
z e = ( rX v ) e = r e X ev = Y(X e ) v = YM V (mod n). Hence the protocol works. 

Security Considerations: GQ is RSA-based; the protocol is known to be honest- 
verifier zero-knowledge and is secure against impersonation under passive at- 
tacks, assuming RSA is one-way [13]. Subsequently, it is also proven secure 
against impersonation under active attacks in [4]. 

Forgery: The public exponent e defines the security level, i.e. , a cheating prover 
can convince the verifier, and thus defeat the protocol with probability 1/e, by 
correctly guessing the value of the challenge v a priori. Therefore, the bit-length 
of v (and, therefore, e since v Gr {0, l}G fe ) where l(k) is the bit-length of e) 

4 The original GQ scheme proposed in [13] is identity-based since it is used by the 
Prover to prove his “identity” to the verifier. However, in the current scenario, we 
present a version that is not id-based and does not require a key generation phase 
since the server uses the public key of the data owner to prove knowledge of the 
condensed-RSA signature by that data owner. 

5 Recall that Condensed-RSA allows only single signer aggregation. 
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Prover P 



Verifier V 
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Y —> r e (mod n) 



z — ♦ rX v (mod n) 
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v£r {0,l} iW 
V 

<— — 
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If 2 ^ 0 and z e = YM V (mod n) 
then accept, else reject 



Fig. 2. IC-RSA GQ-based Interactive Technique 



should be large enough. Note that the above protocol can be run multiple times 
for commensurably lower probability of successful forgery. In general, if it is run 
t times, the probability of forgery is e -t . 

Security Assumptions: The security of the protocol is based on the hardness of 
the RSA problem (i.e., computing e-th roots mod a composite integer n which 
is formed as a product of two large primes.) 

Non-interactive Immutable Condensed-RSA. The second, non-interactive, 
variant uses the technique of Signatures of Knowledge first popularized by Ca- 
menisclr and Stadler in [8]. Specifically, we use the so-called SKROOTLOG 
primitive which can be used to prove knowledge of an e-th root of the discrete 
logarithm of a value to a given base. Before presenting the details, we briefly de- 
scribe how this technique is used in our scenario. Conceptually, the server reveals 
all records matching the query as well as a signature of knowledge for the actual 
condensed-RSA signature corresponding to these records. A querier verifies by 
checking the SKROOTLOG proof. However, since the querier never actually gets 
the condensed signature, she can not exploit the mutability of Condensed-RSA 
to derive new signatures. In general, the querier can not derive proofs for any 
other queries by using proofs for any number of previously posed queries. 

SKROOTLOG Details: Let G =< g > be a cyclic group of order n. An e-th 
root of the discrete logarithm of y € G to the base g is an integer a satisfying 
g( a ) = y if such a a exists. If the factorization of n is unknown, for instance if 
n is an RSA modulus, computing e-th roots in Z* , is assumed to be infeasible. 
A signature of knowledge of an e-th root of the discrete logarithm of y to the 
base g is denoted SKROOTLOG[a : y = g ae ](m). 

Below, we briefly outline an efficient version of SKROOTLOG proposed in 
[8] which is applicable when the public exponent e is a small value (for instance, 
this efficient SKROOTLOG version is applicable when the value of e is set to 3) . 

Definition 1. If e is small, it is possible to show the proof of knowledge of the 
e-th root of the discrete log of y = g a to the base g by computing the following 
e — 1 values: 
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ol a . 2 Oi e 1 

yi=9 ,2/2 = 9 , * • * , 2/e— l =9 

and showing the signature of knowledge: 

U = SKREP[a : yi = g a A y 2 = yf A . . . A y = y ° LJ 

that the discrete logarithms between two subsequent values in the list g, y\, . . 
y e - 1 are all equal (to a) and known (to the prover). 

Below, we give the formal definition of SKREP as in [8] : 

Definition 2. A signature of the knowledge of representations ofyi , . . . ,y w with 
respect to bases gi,...,g v on the message m is defined as follows: 



SKREP 



(ot i , . . . , n u ) 





A ... A 




(m) 



where the indices eij £ {1, . . . , it} refer to the elements ai, . . . , a u and the indices 
bij £ {1, . . . , i>} refer to the base elements gi,...,g v . 

The signature consists of an (it+ 1) tuple (c, si, . . . , s u ) £ {0, l} fc x Z* satisfying 
the equation 



c = H m 






II all 

3 = 1 



• n all 

3=1 



SKREP can be computed easily if the u-tuple (ai, . . . , a u ) is known. Prover first 
chooses r,; £r Z„ for i = 1, . . . , u, computes c as 



c = Tt 



»IMI ■ • • \\yM \ • • • n^; 



i= 1 



m 

3=1 



9b u 



and then sets Si = ri — ca * (mod n) for * = 1 , . . . , u 



Non-interactive IC-RSA: The server executing a client query is required to per- 
form the following: 

1. select records that match the query predicate; 

2. fetch the signatures corresponding to these records; 

3. aggregate the signatures (by multiplying them modulo n, as mentioned 
above) to obtain the condensed RSA signature cr; 

4. send the individual records A4 = {toi, . . . , nit} back to the querier along with 
a proof of knowledge of a which is essentially a SKROOTLOG proof showing 
that the server knows the e-th root of g a . In other words, SKROOTLOG 
proof shows that the server knows the e-th root of . In order to show 
this, the server sends g a , g a and 6 the SKREP proof computed as above. 

6 Note that the server need not send g a = pH explicitly since the querier can 
compute this value knowing g and the individual m;-s 
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Security Considerations: In practice, the efficient version of the SKROOTLOG 
proof which was described in the previous section cannot be used as is. This 
is because the values y± . . .y e -i that are required for the SKREP proofs leak 
additional information about the secret. Hence a randomized version that is 
proposed in [8] needs to be used. The interactive protocol corresponding to the 
above definition of SKROOTLOG is proven honest-verifier zero-knowledge in 
[7]. For brevity, we skip the details of this discussion and refer interested readers 
to [8]. However, we would like to note that the security of the SKROOTLOG 
protocol is based on the difficulty of the discrete logarithm problem and the 
RSA problem. In addition, SKREP is based on the security of Schnorr signature 
scheme. The Non-Interactive IC-RSA, which in essence is the SKROOTLOG 
primitive, is therefore honest- verifier zero-knowledge [7]. This implies that the 
querier who is given only the proof of the condensed RSA signature, can not 
derive new signatures. In addition, the querier can not derive new proofs for any 
other queries by using proofs for any number of previously posed queries. 



Discussion. In this section, we compare the two techniques presented above. 

— Initialization and Parameter Generation: Non-Interactive technique 
(SKROOTLOG based) requires an elaborate parameter generation phase at 
the server. For each data owner whose RSA public key is (n,e), the server 
needs to generate a large prime p' = j * n + 1 (where n is the RSA modulus 
and j is some integer) and an element g £ 71* such that order of g is n. 
On the other hand, Interactive (GQ based) technique requires no additional 
parameter generation at the server since the server only requires to have 
knowledge of each data owner’s RSA public key (n, e). 

— Verifiability: In the Non-Interactive technique, the SKROOTLOG proof 
provided by the server is universally verifiable (or in other words, the proof 
is self authenticating and hence transferable). On the other hand, the In- 
teractive (GQ-based) technique provides guarantees only to the interactive 
verifier who poses the challenge and the proof of knowledge in this case is 
non-transferrable. This is perhaps the biggest difference between the two 
techniques. 

— Communication Rounds: Since SKROOTLOG based technique requires 
no interaction with the verifier for the proof, it requires no additional rounds 
of communication. In other words, the server executes the query and returns 
the result set as well as the proof of knowledge of the corresponding unified 
Condensed-RSA signature. On the other hand, the Interactive technique 
requires two additional rounds of communication with the verifier. 

5.2 Immutable BGLS (iBGLS) 

The extension to aggregated BGLS to achieve immutability is very simple: The 
server computes its own signature on the whole query reply and aggregates it 
with the aggregated BGLS signature of the owners. In other words, for a given 
query whose result includes messages {mi, m 2 , . . . , m*,}, the server computes 
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H = /i(mi||m2...||mfe|| other information') where || denotes concatenation, and 
signs this hash TL using its own private key x s to obtain x s 7i and computes: 



o = <Tl,t + x s Ti 



where cr-|. t is the aggregated BGLS signature of t messages obtained as described 
above. 

Now, a valid and authentic query reply comprises of the records in the result 
set along with an authentic iBGLS signature on the entire result set. Due to this 
simple extension, it is no longer feasible for anybody to manipulate the exist- 
ing iBGLS signatures to obtain new and authentic ones or get any information 
about individual component BGLS signatures. Verification of an iBGLS signa- 
ture a involves computing the individual hashes Hi - s of each message as well 
as computing the hash of the concatenation of all the messages Ti and verifying 
the following equality: e(a,g i) = II -=i e(iL,;, i>,:).e(7d, v s ) where v s is the server’s 
public key. Due to the properties of the bilinear mapping, we can expand the 
left hand side of the equation as follows: 

e(cr,gi) = e(X)‘=i XiH + x s H,gi) 

= e(Y?i=i x i H i> gi)- e (x a H, gi) 

= I\Ue(H i ,g 1 YKe{H,g^ 

= nU e{Hi,Xigi).e(H,x a gi) 

= n*=i e(Hi,Vi).e(H,v s ) 

Security Considerations: iBGLS is a direct application of the original aggregate 
BGLS signature scheme (see section 4.2). The security of BGLS relies upon a 
Gap-Diffie Heilman group setting and specifically requires that each message 
included in the aggregated signature be unique. Below we argue, informally, the 
security of our construction of iBGLS signatures. 

Let r,; denote database record i. An iBGLS signature cr is then constructed 
as follows: a = Y^Xi Xih(m,i), where messages mi, m 2 , ■■■, mt correspond to the 
selected records ri,r 2 , ...,ry and m *+ 1 = (n||?’ 2 ||---lkt)> i.e. , the concatenation of 
the these records. X\,X 2 , ■■■,Xt are the data owner’s private keys and Xt + 1 is the 
server’s key. We then claim that these t + 1 messages are distinct. Each database 
record r* contains a unique record identifier, resulting in messages mi, m 2 , ..., mt 
being distinct, mt+i will be unique for each record set returned as it consists 

' BGLS aggregation is secure only when the messages signed are all distinct. Therefore, 
if the server signed only the result set, it can potentially create a problem if the result 
set to a particular query contained a single record (message). Note that if the result 
set contained only one message then the owner’s message as well as the server’s 
message would be the same since server computes its signature on the entire result 
set. I11 order to avoid such situations, we require that the server add some additional 
information to the message that he signs. For example, the server may include query 
and/or querier specific information, timestamp etc. 
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exactly of the selected records, and moreover, it will be different than any rrij 
where j < t + 1. Therefore, all t + 1 messages are distinct. 

The immutability property of the above scheme relies upon the inability of 
an adversary to forge the server’s signature. This, in turn, implies that such an 
adversary cannot use an aggregate BGLS signature to generate a new iBGLS 
signature that verifies. In other words, the iBGLS signature construction is re- 
sistant to mutations assuming that BGLS signatures are unforgeable. 

6 Performance Analysis 

In this section, we present and discuss the experimental results for immutable 
signature schemes. We mainly consider the overheads introduced by the exten- 
sions we made to the Condensed-RSA and BGLS signature schemes to achieve 
immutability. Since these signature schemes were not implemented in their en- 
tirety, we provide rough estimates on the running costs by showing the number 
of additional basic cryptographic operations (such as modular exponentiations 
and multiplications) required by the extensions and also point out any additional 
communication overheads. We then present the actual cost (time) required to 
carry out these additional operations. 

Table 1 enlists the computational as well as communication overheads associ- 
ated with the various techniques we propose in this paper. We use the following 
notation to describe the various basic cryptographic operations: Mult t (k) <— t 
modular multiplications with modulus of size |fc| ; Exp\{k) <— t modular expo- 
nentiations with modulus of size |fc| and exponent of size \l\ ; BM ( t ) <— t, bilinear 
mappings; MTP(t) <— t Map-To-Point operations which are h() : {0, 1}* — > G\ 
that map binary strings to non-zero points in G\\ SPM(t) <— t Scalar-Point- 
Multiplications. 

Table 1. Cost comparison of techniques for Immutability 





Computation 


Communication 




at Client 


at Server 




GQ 


Adult 1 (n) + Expi(n) 


Mult L {n ) + Expi(n) 


2 


SKROOTLOG 


Expn{p') + A'Iult i (p') 


Expnip') + Exp2{n) 
+Mult 1 (n) 


0 


iBGLS 


BM( 1) 


MTP{ 1) + SPM{ 1) 


0 



Table 2 gives the actual time required to generate a single signature and also 
the time required to verify a single signature, multiple signatures by a single 
signer, and multiple signatures by multiple signers in both condensed RSA and 
BGLS schemes. We set the RSA public exponent e to 3 for SKROOTLOG and 
set e = (2 30 + 1) for GQ. Note that it is essential to have a large e for GQ 
since e in this case is also the security parameter. Further, we have used a 1024 
bit modulus n and the Chinese Remainder Theorem to speed up the signing 
procedure. All computations were carried out on an Intel Pentium-3 800 MHz 
processor with 1GB memory. The results for BGLS are obtained by using the 





174 



Einar Mykletun, Maithili Narasimha, and Gene Tsudik 



Table 2. Cost comparison (time in msec): Verification and signing 







Condensed-RSA 


BGLS 






e = 3 


e = 2' 5U + 1 




Sign 


1 signature 


6.82 


6.82 


12.0 




1 signature 


0.14 


0.56 


77.4 


Verify 


t = 1000 sigs, k = 1 signer 


44.12 


45.531 


12085.4 




t = 100 sigs, k = 10 signers 


45.16 


50.31 


12320.2 



MIR.ACL library [1] and the elliptic curve defined by the equation y 2 = x 3 + 1 
over F p where p is a 512 bit prime and q is a 160 prime factor of p— 1. In the table 
k denotes the total number of signers and t denotes the number of signatures 
generated by each signer. 

The next table (3) gives the time required to generate and verify an im- 
mutable signature under the two different RSA-based techniques as well as the 
BGLS extension. In this table, we only measure the overhead associated with 
the immutability extensions. Therefore, the costs do not include the original 
condensed-RSA or BGLS costs. In addition, we also do not count the communi- 
cation delays introduced by the protocols, particularly in the case of GQ which 
is multi-round protocol. 

Table 3. Cost comparison (time in msec): Immutable Signature Schemes 



Technique Used 


Computation at Client 


Computation at Server 


Total Overhead 


GQ 


0.309 


0.309 


0.618 


SKROOTLOG 


48.88 


46.489 


89.369 


iBGLS 


37.2 


12.0 


49.2 



We also would like to mention at this point that SKROOTLOG, in addition 
to the above mentioned costs, also incurs additional setup costs. These costs are 
necessary to set the parameters prime p' and element g of order n. Further, it is 
also worth noting that since condensed-RSA only enables single-signer aggrega- 
tion, it is necessary for the server to set up multiple sets of parameters: one for 
each signer. (In other words, since n-s of distinct owners are different, it becomes 
necessary to find distinct pairs {p ' , g) for each n). 

7 Related Work 

Database security has been studied extensively within the database as well as 
cryptographic research communities. Specifically, the problem of data privacy for 
outsourced databases has been investigated by many. Hacigiimu§, et al. examined 
various challenges associated with providing database as a service in [16]. In our 
work, we used a very similar system model. 

Private Information Retrieval (PIR) [9,11] deals with the exact matching 
problem and has been explored extensively in the cryptographic literature. How- 
ever, most of current PIR techniques aim for very strong security bounds and, 
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consequently, remain unsuitable for practical purposes. Song et al. [21] develop 
a more pragmatic scheme to search on data encrypted using a secret symmet- 
ric key. In summary, searching on encrypted data is becoming an increasingly 
popular research topic with such recent interesting results as [21,12]. However, 
the aforementioned schemes only support exact-match queries, i.e., the server 
returns data matching either a given address or a given keyword. Hacigiimu§, 
et al. in [14] explore how different types of SQL queries can be executed over 
encrypted data Specifically, they support range searches and joins in addition 
to exact-match queries. 

On a more related topic, [15] investigated integrity issues in the ODB model: 
data encryption is used in combination with manipulation detection codes to 
provide integrity. As mentioned earlier [19] mainly focuses on the use of digital 
signatures in order to facilitate efficient integrity assessment. The work of [10] 
explores the applicability of Merkle Hash Tree-s (MHT-s) as a technique for 
providing authenticity and integrity in third-party data publication settings. 
The use of authenticated data structures for providing data integrity in general 
has been studied extensively in [18]. 

8 Conclusions 

In this paper, we introduced the notion of immutability for aggregated sig- 
nature schemes. Some aggregated signature schemes suitable for providing data 
integrity and origin authentication for outsourced databases were considered re- 
cently in [19]. We constructed add-on techniques to provide immutability for 
these schemes. We also performed a detailed comparison and performance anal- 
ysis of the proposed techniques. 
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Abstract. We give a formal model for systems that store data in en- 
tangled form. We propose a new notion of entanglement, called all-or- 
nothing integrity (AONI) that binds the users’ data in a way that 
makes it hard to corrupt the data of any one user without corrupting 
the data of all users. AONI can be a useful defense against negligent or 
dishonest storage providers who might otherwise be tempted to discard 
documents belonging to users without much clout. We show that, if all 
users use the standard recovery algorithm, we can implement AONI us- 
ing a MAC, but, if some of the users adopt the adversary’s non-standard 
recovery algorithm, AONI can no longer be achieved. However, even for 
the latter scenario, we describe a simple entangling mechanism that pro- 
vides AONI for a restricted class of destructive adversaries. 



1 Introduction 

Suppose that I provide you with remote storage for your most valuable infor- 
mation. I may advertise various desirable properties of my service: underground 
disk farms protected from nuclear attack, daily backups to chiseled granite mon- 
uments, replication to thousands of sites scattered across the globe. But what 
assurance do you have that I will not maliciously delete your data as soon as 
your subscription check clears? 

If I consider deleting the data of a rich or powerful customer, I may be de- 
terred by economic, social, or legal repercussions. The small secret joy I might 
experience from the thought of the loss will not compensate me for losing a 
posted bond, destroying my reputation, or being imprisoned. But if you are an 
ordinary customer who does not have much clout, and I see a lucrative opportu- 
nity in altering - or simply neglecting to keep - your data, then deterrence loses 
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its effectiveness. Consequently, data of powerful customers end up being more 
protected than data of average customers. To convince an average customer that 
she will not lose her data at my random whim, I might offer stronger technical 
guarantees that I cannot destroy her data without serious costs. One way to 
do this would be to link the fate of her documents to the documents of enough 
other users that I cannot hope to offend them all with impunity. We shall call 
such documents entangled. 

Data entanglement was initially suggested as a mechanism for increasing 
censorship-resistance in document-storage systems, e.g ., Dagster [21] and Tan- 
gier [22]. These systems split data into blocks in such a way that a single block 
becomes part of several documents. New documents are represented using some 
number of existing blocks, chosen randomly from the pool, combined with new 
blocks created using exclusive-or (Dagster) or 3-out-of-4 secret sharing [19] (Tan- 
gier). Dagster and Tangier use entanglement as one of many mechanisms to pre- 
vent a censor from tampering with unpopular data; others involve disguising 
the ownership and contents of documents and (in Tangier) storing documents 
redundantly. 

It is not clear that data entanglement is actually useful for censorship resis- 
tance. Instead of having to specifically attack a target document, a censor only 
needs to damage any document entangled with the target to achieve his goal. 
Instead, we consider data entanglement for a different purpose: protecting the 
data from an untrusted storage provider that might be tempted to damage or 
destroy the data through negligence or malice. Entanglement provides an in- 
centive for the storage provider to take extra care in protecting average users’ 
documents by increasing the cost of errors. 

We begin in Section 2 by analyzing the intuitive notion of entanglement 
provided by Dagster and Tangier. We show that entanglement as provided by 
Dagster and Tangier is not by itself sufficiently strong to deter a dishonest storage 
provider from tampering with data, because not enough documents get deleted 
on average when destroying a block of a typical document. This motivates our 
efforts to obtain a stronger form of an entanglement than the ones provided by 
these systems. 

In Section 3, we define our general model of entanglement in an untrusted 
storage system. Our goal here is to model the entanglement operation itself, and 
we do not address the question of where in the system entanglement occurs. 
However, we do assume that the storage provider does not carry out the entan- 
gling operation itself, as giving it the users’ raw data would allow it to store 
copies that it could selectively return later, even if the entangled store were 
lost or damaged. Instead, some trusted third party is assumed to carry out the 
entangling operation, and a negligent or malicious storage provider is modeled 
separately as a “tamperer” that has access only to the entangled store. 

Section 4 contains our definitions of document dependency, where a doc- 
ument cannot be recovered if any document it depends on is lost, and all-or- 
nothing integrity, where no document can be recovered if any document is 
lost. These definitions allow a system-independent description of the binding be- 
tween entangled documents. We then consider how different levels of attacks on 




Towards a Theory of Data Entanglement 



179 



the common data store do or do not prevent enforcement of document depen- 
dency or all-or-nothing integrity. 

In particular, we show that, if all clients use a standard algorithm to re- 
cover their data, then all-or-nothing integrity requires only the ability to detect 
tampering using a MAC (Section 5.1); in this model, the standard recovery al- 
gorithm is too polite to return any user’s data if any other user’s data has been 
lost. Relying on such fastidiousness provides only a weak guarantee; what we re- 
ally want is that all data becomes irretrievable even by non-standard algorithms 
if any is lost. We show that this goal is impossible if an adversary is allowed 
to both tamper with the common store arbitrarily and provide a replacement 
recovery algorithm (Section 5.2). Despite such upgrade attacks, it is still pos- 
sible to provide a weaker guarantee that we call symmetric recovery, in which 
each document is equally likely to be destroyed (Section 5.3). Furthermore, if we 
restrict the adversary to destructive tampering, which reduces the amount 
of information in the common store, all-or-nothing guarantees are possible even 
with upgrade attacks (Section 5.4). 

These results provide a first step toward understanding document depen- 
dency. Suggestions for further work are given in Section 6. 

Because of space limitations, many proofs are omitted from this extended 
abstract. Complete proofs can be found in the full version, available as a Yale 
CS technical report [2]. 



1.1 Related Work 

Entanglement is motivated by the goal of deterring data tampering by untrusted 
servers, a more general problem that has been studied extensively. Entangle- 
ment has been used specifically in Dagster [21] and Tangier [15], as we describe 
in Section 2. Other approaches to preventing or deterring tampering include 
replication across global networks of tamper-resistant servers [1,4,5,9,17,23] 
or tamper detection [6-8, 12-14, 20] using digital signatures and Merkle hash 
trees [16]. Replication protects against data loss if a small number of servers are 
compromised; tamper detection prevents data loss from going unnoticed. Both 
techniques complement the entanglement approach considered here. 

All-or-nothing integrity as defined in the present work is related to the guar- 
antee provided by the all-or-nothing transform proposed by Rivest [18]. An 
all-or-nothing transform is an invertible transform that guarantees that no bits 
of the preimage can be recovered if t bits of the image are lost. All-or-nothing 
transforms are not directly applicable to our problem, because we consider the 
more general case in which the image may be corrupted in other ways, such as 
by superencryption or alteration of part or all of the common store. 



2 Dagster and Tangier 

We now review how Dagster [21] and Tangier [22] work, concentrating on their 
operations at a block level and omitting details of how documents are divided 
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into blocks. We then analyze the resulting entangling effects and show their 
shortcomings for protecting data from a negligent storage provider, motivating 
our stronger notions of entanglement in Section 4. 

2.1 Dagster 

The Dagster storage system may run on a single server or on a P2P overlay 
network. Each document in Dagster consists of c + 1 server blocks: c blocks of 
older documents and one new block, an exclusive-or of previous blocks with the 
document. The c + 1 blocks that must be XORecl to recover the document are 
listed in a Dagster Resource Locator. 

2.2 Tangier 

The Tangier storage system uses (3, 4) Shamir secret sharing [19] to entangle the 
data: Each document is represented by four server blocks, any three of which are 
sufficient to reconstruct the original document. The blocks get replicated across 
a subset of Tangier servers. Hashes of blocks are recorded in a data structure, 
similar to Dagster Resource Locator, called an inode. 

2.3 Analysis of Entanglement 

At a given point in time, a Dagster or Tangier server contains a set of blocks 
{Ci, . . . , C m } comprising documents {di, . . . ,d n } of a group of users. (Here 
m, n € N and m > n .) Data are partitioned in a way that each block be- 
comes a part of several documents. We can draw an entanglement graph (see 
Figure 1), which has an edge ( dj,Ck ) if block Ck belongs to document dj. This 
connection is rather tenuous - even if ( dj,Ck ) is in the graph, it may still be 
possible to reconstruct dj from blocks excluding Ck ■ Document nodes in Dag- 
ster ’s entanglement graph have an out-degree c+ 1, and those in Tangier’s have 
out-degree 4. Entangled documents share one or more server blocks. In Fig- 
ure 1, documents d\ and c ?2 are entangled because they share server block Ci; 
meanwhile, documents d\ and d 2 are not entangled. 

This shared-block notion of entanglement has several drawbacks. Even if 
document dj is entangled with a specific document, it may still be possible 
to delete dj from the server without affecting that particular document. For 
example, knowing that d„ is entangled with d\ (as in Figure 1), and that d\ is 
owned by some Very Important Person, may give solace to the owner of d n , who 
might assume that no adversary would dare incur the wrath of the VIP merely 
to destroy d n . But in the situation depicted in the figure, the adversary can still 
delete server blocks C 2 and C m and corrupt d n but not d-\ . 

The resulting dependence between documents is thus very weak. In the full 
paper, we show: 

Theorem 1 . In a Dagster server with n documents, where each document is 
linked with c pre-existing blocks, deleting a block of a random document destroys 
on average O(c) other documents. 
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Fig. 1. An entanglement graph is a bipartite graph from the set of documents to the 
set of server blocks. Edge ( dj,Ck ) is in the graph if server block Ck can be used to 
reconstruct document dj. 



Theorem 2 . In a Tangier server with n documents, deleting two blocks of a 
random document destroys on average O other documents. 

Even a small chance of destroying an important document will deter tam- 
pering to some extent, but some tamperers might be willing to run that risk. 
Still more troubling is the possibility that the tamperer might first flood the 
system with junk documents, so that almost all real documents were entangled 
only with junk. Since our bounds show that destruction of a typical document 
will on average affect only a handful of others in Dagster and almost none in 
Tangier, we will need stronger entanglement mechanisms if entanglement is to 
deter tampering by itself. 



3 Our Model 

In Section 3.1, we start by giving a basic framework for systems that entangle 
data. Specializing the general framework gives specific system models, differ- 
entiated by the choice of recovery algorithms and restrictions placed on the 
adversary. We discuss them in Section 3.2. 

Our model abstracts away many details of storage and recovery processes. 
It concentrates on a single entanglement operation, which takes documents of a 
finite group of users and intertwines these documents to form a common store. In 
practice, the server contents would be computed as an aggregation of common 
stores from multiple entanglement operations. We defer analyzing this more 
complex case to later work; see the discussion of possible extensions to the model 
in Section 6. 

3.1 Basic Framework 

The model consists of an initialization phase, in which keys are generated 
and distributed to the various participants in the system; an entanglement 
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phase, in which the individual users’ data are combined into a common store; a 
tampering phase, in which the adversary corrupts the store; and a recovery 
phase, in which the users attempt to retrieve their data from the corrupted store 
using one or more recovery algorithms. For simplicity of notation, we number 
the users {1, . . . ,n}, where every user i possesses a document di that he wants 
to publish. 




*i’ 

l 



1 



C = tk, '6) 



tamperer 



storage server 



Fig. 2. Initialization, entanglement, and tampering stages. 



An encoding scheme consists of three probabilistic Turing machines, (/, E, R), 
that run in time polynomial in the size of their inputs and a security parameter 
s. The first of these, the initialization algorithm J, hands out the keys used 
in the encoding and recovery phases. The second, the encoding algorithm 
E, combines the users’ data into a common store using the encoding key. The 
third, the recovery algorithm R , attempts to recover each user’s data using 
the appropriate recovery key. 

Acting against the encoding scheme is an adversary ( I,T 7 R ), which also 
consists of three probabilistic polynomial-time Turing machines. The first is an 
adversary-initialization algorithm /; like the good initializer J, the evil I 
is responsible for generating keys used by other parts of the adversary during 
the protocol. The second is a tampering algorithm T, which modifies the 
common store. The third is a non-standard recovery algorithm 11, which 
may be used by some or all of the users to recover their data from the modified 
store. 

We assume that /, T and R are chosen after I, E, and R are known but that 
a single fixed J, T, and R are used for arbitrarily large values of s and n. This 
is necessary for polynomial-time bounds on T and R to have any effect. 

Given an encoding scheme (/, E , R) and an adversary (/, T, R ), the storage 
protocol proceeds as follows (see also Figure 2): 
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1. Initialization. The initializer / generates a combining key k E used by the 
encoding algorithm and recovery keys ki,k 2 , ■ ■ ■ k n , where each key ki is used 
by the recovery algorithm to recover the data for user i. At the same time, 
the adversary initializer / generates the shared key k for T and R. 

k E ,ki,k 2 ,...k n <- /(I s , n), 
k^- /(I s , n). 

2. Entanglement. The encoding algorithm E computes the combined store C 
from the combining key k E and the data df. 

C * E {k E , d \ , d 2 , • ■ • dn'j . 

3. Tampering. The tamperer T alters the combined store C into C: 

C <— T(k, C). 

4. Recovery. The users attempt to recover their data. User i applies his re- 
covery algorithm Ri to ki and the changed store C . Each Ri could be either 
the standard recovery algorithm R , supplied with the encoding scheme, or 
the non-standard algorithm R , supplied by the adversary, depending on the 
choice of the model. 

d'i <— Ri(ki,C) 

We say that user i recovers his data if the output of Ri equals </,. 

3.2 Adversary Classes 

We divide our model on two axes: one bounding the users’ choices of reconstruc- 
tion algorithms and the other bounding the adversary’s power to modify the 
data store. With respect to recovery algorithms, we consider three variants on 
the basic framework (listed in order of increasing power given to the adversary): 

— In the standard-recovery-algorithm model, the users are restricted to a 
single standard recovery algorithm /?, supplied by the system designer. For- 
mally, this means Ri = R for all users i; The adversary’s recovery algorithm 
R is not used. This is the model used to analyze Dagster and Tangier. 

— In the public-recovery-algorithm model, the adversary not only mod- 
ifies the combined store, but also supplies a single non-standard recovery 
algorithm R to all of the users. Formally, we have Ri = R for each i. The 
original recovery algorithm R is not used 1 . We call this an upgrade attack 
by analogy to the real life situation of a company changing the data format 
of documents processed by its software and distributing a new version of the 

1 Though it may seem unreasonable to prevent users from choosing the original re- 
covery algorithm R, any R can be rendered useless in practice by superencrypting 
the data store and distributing the decryption key only with the adversary’s R. We 
discuss this issue further in Section 5.2. 
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software to read them. We believe such an attack is a realistic possibility, 
because most self-interested users will be happy to adopt a new recovery 
algorithm if it offers new features or performance, or if the alternative is 
losing their data. 

— In the private-recovery-algorithm model, the adversary may choose to 
supply the non-standard recovery algorithm R to only a subset of the users. 
The rest continue to use the standard algorithm R. Formally, this model is 
a mix of the previous two models: Ri = R for some i and Ri = R for others. 

We also differentiate between two types of tamperers: 

— An arbitrary tamperer can freely corrupt the data store and is not re- 
stricted in any way. Most real-life systems fit into this category as they place 
no restrictions on the tamperer. 

— A destructive tamperer can only apply a transformation to the store 
whose range of possible outputs is substantially smaller than the set of in- 
puts. The destructive tamperer can superimpose its own encryption on the 
common store, transform the store in arbitrary ways, and even add addi- 
tional data, provided that the cumulative effect of all these operations is to 
decrease the entropy of the data store. Though a destructive tampering as- 
sumption may look like an artificial restriction, it subsumes natural models 
of block deletion or corruption, and either it or some similar assumption is 
needed to achieve all-or-nothing integrity in the private-recovery-algorithm 
model. 

An adversary class specifies what kind of tamperer T is and which users, 
if any, receive R as their recovery algorithm. Altogether, we consider 6 (= 3 x 2) 
adversary classes, each corresponding to a combination of constraints on the 
tamperer and the recovery algorithms. 

4 Dependency and All-or-Nothing Integrity 

We now give our definition of document dependency for a particular encoding 
scheme and adversary class. We first discuss some basic definitions and assump- 
tions in Section 4.1. Our strong notions of entanglement, called dependency 
and all-or-nothing integrity, are defined formally in Section 4.2. 

4.1 Preliminaries 

Because we consider protocols involving probabilistic Turing machines, we must 
be careful in talking about probabilities. Fix an encoding (/, E, R), an adversary 
A = ( I,T,R ), and the recovery algorithm Ri for each user i. An execution of 
the resulting system specifies the inputs hi and d,; to E, the output of E, the 
tamperer’s input k and output C, and the output of the recovery algorithm 
R, ( R(ki,C ) or R(k,ki,C ) as appropriate) for each user. The set of possible 
executions of the storage system is assigned probabilities in the obvious way: the 




Towards a Theory of Data Entanglement 



185 



probability of an execution is taken over the inputs to the storage system and 
the coin tosses of the encoding scheme and the adversary. It will be convenient 
to consider multiple adversaries with a fixed encoding scheme. In this case, we 
use Pr J 4 (Q) to denote the probability that an event Q occurs when A is the 
adversary. 

During an execution of the storage system, the tamperer alters the combined 
store from C into C. As a result, some users end up recovering their documents 
while others do not. We summarize which users recover their documents in a 
recovery vector, which is a vector- valued random variable r in which r,; = 1 
if Ri(ki,C) = di (i.e., if user i recovers his document) and 0 otherwise. For 
example, if the server contains documents d±,d 2 , and d 3 and in an execution we 
recover only d± and d 2 , then r = 110 . 



4.2 Our Notions of Entanglement 

In Section 2, we observed that the block-sharing notion of entanglement provided 
by Dagster and Tangier is not adequate for our purposes. This motivates us to 
propose the notion of document dependency, which formalizes the idea that 
“if my data depends on yours, I can’t get my data back if you can’t.” In this way, 
the fates of specific documents become linked together: specifically, if document 
di depends on document dj, then whenever dj cannot be recovered neither can 
di . 

Given just one execution, either users i and j each get their data back or 
they don’t. So how can we say that the particular outcome for i depends on the 
outcome for j? Essentially, we are saying that we are happy with executions in 
which either j recovers its data (whether or not i does) or in which j does not 
recover its data and i does not either. Executions in which j does not recover 
its data but i does are bad executions in this sense. We will try to exclude these 
bad executions by saying that they either never occur or occur only with very 
low probability. Formally: 

Definition 1. A document di depends on a document dj with respect to a class 

A 

of adversaries A, denoted di dj, if for all adversaries A € A, 

Pr[r.j = 0 V r-j = 11 > 1 — e. 

A J J 

Remark 1. Hereafter, e refers to a negligible function of the security parameter 



The ultimate form of dependency is all-or-nothing integrity. Intuitively, 
a storage system is all-or-nothing if either every user i recovers his data or no 
user does: 

2 A function e : N 1 — > (0, 1) is negligible if for every c > 0, for all sufficiently large s, 
e(s) < l/s c . See any standard reference, such as [10], for details. 
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Definition 2. A storage system is all-or-nothing with respect to a class of 
adversaries A if, for all A £ A, 

Pr [r = 0” V r = l n ] > 1 - e. 

It is easy to show that 

Theorem 3. A storage system is all-or-nothing with respect to a class of ad- 

A 

versaries A if and only if, for all users i,j, di dj. 

All-or-nothing integrity is a very strong property. In some models, we may 
not be able to achieve it, and we will accept a weaker property called symmetric 
recovery. Symmetric recovery requires that all users recover their documents 
with equal probability: 

Definition 3. A storage system has symmetric recovery with respect to a 
class of adversaries A if, for all A £ A and all users i and j, 

Pr [n = 1] = Pr [rj = 1]. 

Symmetric recovery says nothing about what happens in particular execu- 
tions. For example, it is consistent with the definition for exactly one of the data 
items to be recovered in every execution, as long as the adversary cannot affect 
which data item is recovered. This is not as strong a property as all-or-nothing 
integrity, but it is the best that can be done in some cases. 

5 Possibility and Impossibility Results 

The possibility of achieving all-or-nothing integrity (abbreviated AONI) de- 
pends on the class of adversaries we consider. In Sections 5.1 through 5.3, we 
consider adversaries with an arbitrary tamperer. We show that AONI cannot 
always be achieved in this case. Then in Section 5.4, we look at adversaries with 
a destructive tamperer. We give a simple interpolation scheme that achieves 
all-or-nothing integrity for a destructive tamperer in all three recovery models. 

5.1 Possibility of AONI for Standard-Recovery- Algorithm Model 

In the standard-recovery-algorithm model, all users use the standard recovery 
algorithm R\ that is Ri = R for all users i. 

This model allows a very simple mechanism for all-or-nothing integrity based 
on Message Authentication Codes (MACs) 3 . The intuition behind this mecha- 
nism is that the encoding algorithm E simply tags the data store with a MAC 

3 Informally, a MAC consists of a key generator GEN, a tagging algorithm TAG 
that associates a tag o with message m, and a verification algorithm VER that 
can be used to check if (m, a) is a valid message/tag pair. A MAC is existentially 
unforgeable under chosen message attacks if the adversary cannot forge a valid 
message/tag pair even after interacting polynomially many times with a signing 
oracle (see [11] for details). 
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using a key known to all the users, and the recovery algorithm R returns an 
individual user’s data only if the MAC on the entire database is valid. 

We now give an encoding scheme (I, E, R) based on a MAC scheme (GEN, 
TAG, VER)-. 

Initialization. The initialization algorithm I computes Umac — GEN (I s ). It 
then returns an encoding key Le = Lmac and recovery keys R = (i, I^mac)- 
Entanglement. The encoding algorithm E generates an n-tuple 

m = (d\, d- 2 , ■ ■ ■ , d n ) and returns C = (in, a) where a = T AG(}cmac, vn). 
Recovery. The standard recovery algorithm R takes as input a key fc, = (i, 
kMAc) and the (possibly modified) store G = (rh,a). It returns ?h,: if 
VER(kMAC,di,a) = accept and returns a default value _L otherwise. 

The following theorem states that this encoding scheme achieves all-or-nothing 
integrity with standard recovery algorithms: 

Theorem 4. Let (GEN,T AG,VER) be a MAC scheme that is existentially 
unforgeable against chosen message attacks , and let (I, E, R) be an encoding 
scheme based on this MAC scheme as above. Let A be the class of adversaries 
that does not provide non-standard recovery algorithms R. Then there exists 
some minimum So such that for any security parameter s > so and any inputs 
d\, . . . ,d n with |e?, ; | < s, (I, E, R) is all-or-nothing with respect to A. 

5.2 Impossibility of AONI 

for Public and Private-Recovery- Algorithm Models 

In both these models, the adversary modifies the common store and distributes 
a non-standard recovery algorithm R to the users (either to all users or only to 
a few select accomplices). Let us begin by showing that all-or-nothing integrity 
cannot be achieved consistently in either case: 

Theorem 5. For any encoding scheme (I,E,R), if A is the class of adver- 
saries providing non-standard recovery algorithms R, then (I,E,R) is not all- 
or-nothing with respect to A. 

The essential idea of the proof is to have the adversary supply a defective 
recovery algorithm R that fails randomly with probability 1/n. This yields a 
constant probability converging to 1/e that some document is not returned, 
while all others are. 

This proof is rather trivial, which suggests that letting the adversary sub- 
stitute an error-prone recovery algorithm in place of the standard one gives the 
adversary far too much power. But it is not at all clear how to restrict the model 
to allow the adversary to provide an improved recovery algorithm without al- 
lowing for this particular attack. Allowing users to apply the original recovery 
algorithm R can be defeated by superencrypting the data store and burying the 
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decryption key in the error-prone R ; defeating this attack would require analyz- 
ing R to undo the superencryption and remove the errors, a task that is likely 
to be difficult in practice 4 . 

On the other hand, we do not know of any general mechanism to ensure that 
no useful information can be gleaned from R , and it is not out of the question 
that there is an encoding so transparent that no superencryption can disguise 
it for sufficiently large inputs, given that both R and the adversary’s key k are 
public. 



5.3 Possibility of Symmetric Recovery 

for Public-Recovery-Algorithm Model 

As we have seen, if we place no restrictions on the tamperer, it becomes impos- 
sible to achieve all-or-nothing integrity in the public-recovery-algorithm model. 
We now show that we can still achieve symmetric recovery. 

Because we cannot prevent mass destruction of data, we will settle for pre- 
venting targeted destruction. The basic intuition is that if the encoding process is 
symmetric with respect to permutations of the data, then neither the adversary 
nor its partner, the non-standard recovery algorithm, can distinguish between 
different inputs. Symmetry in the encoding algorithm is not difficult to achieve 
and basically requires not including any positional information in the keys or 
the representation of data in the common store. One example of a symmetric 
encoding is a trivial mechanism that tags each input dj with a random fc,; and 
then stores a sequence of (d,, ki) pairs in random order. 

Symmetry in the data is a stronger requirement. We assume that users’ docu- 
ments di are independent and identically distributed (i.i.d.) random variables. If 
documents are not i.i.d (in particular, if they are fixed), we can use a simple trick 
to make them appear i.i.d.: Each user i picks a small number r,; independently 
and uniformly at random, remembers the number, and computes d\ = dj©G(rj), 
where G is a pseudorandom generator. The new d( are also uniform and inde- 
pendent (and thus computationally indistinguishable from i.i.d.). The users can 
then store documents d! i (1 < i < n) instead of the original documents di. To 
recover di, user i would retrieve d' from the server and compute dj = d( © G(r,;). 

We shall need a formal definition of symmetric encodings: 

Definition 4. An encoding scheme (/, E , R) is symmetric if, for any s and 
n, any inputs d\, d 2 , • ■ • d n , and any permutation 7 r of the indices 1 through n, 
if the joint distribution of k \ , &2 , . . . , k n and C in executions with user inputs 
di, d 2 , . . . d n is equal to the joint distribution of k ^ 1 , k n2 , . . . , Av n and C in exe- 
cutions with user inputs d 7Tl , d^ 2 , . . . d^ n . 

4 Whether it is difficult from a theoretical perspective depends on how well R can be 
obfuscated; though obfuscation is impossible in general [3], recovering useful infor- 
mation from R is likely to be difficult in practice, especially if the random choice to 
decrypt incorrectly is not a single if-then test but is the result of accumulating error 
distributed throughout its computation. 
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Using this definition, it is easy to show that any symmetric encoding gives 
symmetric recovery: 

Theorem 6. Let (/, E, R) be a symmetric encoding scheme. Let A be a class of 
adversaries as in Theorem 5. Fix s and n, and let d\, . . . ,d n be random variables 
that are independent and identically distributed. Then (/, E, R) has symmetric 
recovery with respect to A. 

5.4 Possibility of AONI for Destructive Adversaries 

Given the results of the previous sections, to achieve all-or-nothing integrity we 
need to place some additional restrictions on the adversary. 

A tampering algorithm T is destructive if the range of T when applied to 
an input domain of to distinct possible data stores has size less than m. The 
amount of destructiveness is measured in bits: if the range of T when applied 
to a domain of size m has size r, then T destroys lg m — lg r bits of entropy. 
Note that it is not necessarily the case that the outputs of T are smaller than 
its inputs; it is enough that there be fewer of them. 

Below, we describe a particular encoding, based on polynomial interpolation, 
with the property that after a sufficiently destructive tampering, the probability 
that any recovery algorithm can reconstruct a particular di is small. While this 
is trivially true for an unrestrained tamperer that destroys all lg to bits of the 
common store, our scheme requires only that with n documents the tamperer 
destroy slightly more than nlg(n/e) bits before the probability that any of the 
data can be recovered drops below e (a formal statement of this result is found 
in Corollary 1). Since n counts only the number of users and not the size of the 
data, for a fixed population of users the number of bits that can be destroyed 
before all users lose their data is effectively a constant independent of the size 
of the store being tampered with. 

The encoding scheme is as follows. It assumes that each data item can be 
encoded as an element of Z p , where p is a prime of roughly s bits. 

Initialization. The initialization algorithm I chooses £q, • • • k n indepen- 

dently and uniformly at random without replacement from Z p . It sets fc# = 
(fci, & 2 , • • . , k n ) and then returns fee, k\, . . . k n . 

Entanglement. The encoding algorithm E computes, using Lagrange interpo- 
lation, the coefficients c„_i, c n _ 2 , • • . Co of the unique degree (n — 1) poly- 
nomial / over Z p with the property that f{kf) = di for each i. It returns 

C — ( C n — i , C n — 2 , . . . Co) . 

Recovery. The standard recovery algorithm R returns f{ki), where / is the 
polynomial whose coefficients are given by C . 

Intuitively, the reason the tamperer cannot remove too much entropy without 
destroying all data is that it cannot identify which points d = f(k) correspond to 
actual user keys. When it maps two polynomials f\ and fi to the same corrupted 
store C , the best that the non-standard recovery algorithm can do is return 
one of fi(ki) or fi{ki) given a particular key fcj. But if too many polynomials 
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are mapped to the same C, the odds that R returns the value of the correct 
polynomial will be small. 

A complication is that a particularly clever adversary could look for poly- 
nomials whose values overlap; if f\(k) = / 2 (fc) , it doesn’t matter which / the 
recovery algorithm picks. But here we can use that fact that two degree ( n — 1) 
polynomials cannot overlap in more than (n — 1) places without being equal. 
This limits how much packing the adversary can do. 

As in Theorem 6, we assume that the user inputs d\, . . . ,d n are chosen in- 
dependently and have identical distributions. We make a further assumption 
that each di is chosen uniformly from Z p . This is necessary to ensure that the 
resulting polynomials span the full p n possibilities 5 . 

Theorem 7. Let (/, E, R) be defined as above. Let A = (/, T, R) be an adversary 
where T is destructive: for a fixed input size and security parameter, there is a 
constant M such that for each key k, 

\{T(k,f)}\<M, 



where f ranges over the possible store values, i.e. over all degree-(n — 1) polyno- 
mials over Z p . If the di are drawn independently and uniformly from Z p , then 
the probability that at least one user i recovers di using R is 



Pr[r ^ 0 n ] < 



2 n 2 + nM V n 
P 



even if all users use R as their recovery algorithm. 



We can use Theorem 7 to compute the limit on how much information the 
tamperer can remove before recovering any of the data becomes impossible: 

Corollary 1. Let ( I,E,R ) and (I,f,R) be as in Theorem 7. Let e > 0 and let 
p > 4 n 3 /e. If for any fixed k, tamperer T destroys at least ?rlg(n/e) + 1 bits of 
entropy, then 

Pr[r = 0 n l > 1 - e. 

A L 



6 Conclusion and Future Work 

Our results are summarized below: 





Destructive Tamperer 


Arbitrary Tamperer 


Standard Recovery 


all-or-nothing 


all-or-nothing 


Public Recovery 


all-or-nothing 


symmetric recovery 


Private Recovery 


all-or-nothing 


no guarantees possible 



5 The assumption that the documents are i.i.d. does not constrain the applicability of 
our results much, because the technique to get rid of it described in Section 5.2 can 
also be used here. 
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They show that it is possible in principle to achieve all-or-nothing integrity 
with only mild restrictions on the adversary. Whether it is possible in practice 
is a different question. Our model abstracts away most of the details of the stor- 
age and recovery processes, which hides undesirable features of our algorithms 
such as the need to process all data being stored simultaneously and the need 
to read every bit of the data store to recover any data item. Some of these un- 
desirable features could be removed with a more sophisticated model, such as a 
round-based model that treated data as arriving over time, allowing combining 
algorithms that would touch less of the data store for each storage or retrieval 
operation at the cost of making fewer documents depend on each other. The 
resulting system might look like a variant of Dagster or Tangier with stronger 
mechanisms for entanglement. But such a model might permit more dangerous 
attacks if the adversary is allowed to tamper with data during storage, and find- 
ing the right balance between providing useful guarantees and modeling realistic 
attacks will be necessary. We have made a first step towards this goal in the 
present work, but much still remains to be done. 
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Abstract. We present and analyze portable access control mechanisms 
for large data repositories, in that the customized access policies are 
stored on a portable device (e.g., a smart card). While there are signif- 
icant privacy-preservation advantages to the use of smart cards anony- 
mously created and bought in public places (stores, libraries, etc), a 
major difficulty is that, for huge data repositories and limited-capacity 
portable storage devices, it is not possible to represent any possible ac- 
cess configuration on the card. For a customer whose card is supposed 
to contain a subset S of documents, access to all of S must be allowed. 
In some situations a small enough number of “false positives” (which 
are accesses to non-5 1 documents) is acceptable to the server, and the 
challenge then is to minimize the number of false positives implicit to 
any given card. We describe and analyze schemes for both unstructured 
and structured collections of documents. For these schemes, we give fast 
algorithms for efficiently using the limited space available on the card. 
In our model the customer does not know which documents correspond 
to false positives, the probability of a randomly chosen document being 
a false positive is small, and information about false positives bound to 
one card is useless for any other card even if both of them permit access 
to the same set of documents S. 



1 Introduction 

In this work we consider a very large collection of documents or other objects, and 
do not limit the customers to rigid menus of pre-defined sets of items to which 
they may have access. With the rapid recent increase in the number and the 
level of maturity of on-line document collections (digital libraries and the like) 
that provide payment-based access to their documents, this model has emerged 
as an appropriate way of dealing with this explosive growth. To make this model 
as flexible and convenient for the customer as possible, we allow each customer 
to choose a custom set of documents to be included in his subscription order. 

* Portions of this work were supported by Grants IIS-0325345, IIS-0219560, IIS- 
0312357, and IIS-0242421 from the National Science Foundation, Contract N00014- 
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tion and Research in Information Assurance and Security, and by Purdue Discovery 
Park’s e-enterprise Center. 
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As stated above, this model might not appear interesting or challenging to 
implement: each customer receives a unique policy configuration that allows him 
to access the documents requested. What makes it intriguing are the additional 
requirements that we impose: we wish to fit such customer policy configurations 
into a limited amount of space, yet still be able to provide access to large data 
sets. This requirement becomes important in our era of portable devices such as 
smart cards and sensors that are space and/or battery- limited. 

One might argue that putting the access policies on limited-storage smart 
cards is not a sound approach to portable access rights, that one can instead 
store the access policies on the server end. For privacy reasons, instead of storing 
customers’ real identity, the server and the smart card could then store only a 
random ID (a pseudonym) while the access policies associated with that ID are 
kept at the server. In this case, the customer gets privacy without any need for 
storing the access policies on the card itself. This, however, has the disadvantage 
that tracking and profiling of a random ID’s document access patterns is still 
possible; the danger then is that, if even once the random card ID is associated 
with an event (e.g., access from a particular IP address) that is linked to the 
customer’s real identity, the whole access history of that individual becomes 
known to the server. This problem does not occur when the access policies are 
on the card itself. As both a metaphor and an example, we envision a customer, 
who walks into a bookstore; selects a number of items from a large universe of 
books, articles, and newspapers; pays with cash; and receives a smart card that 
provides him private access to the selected items at many terminals in various 
locations at stores, libraries, etc. 

Storing access rights on the card itself has another advantage in that the 
entity that issues the card can be distinct from the entity that provides access to 
the data. In other words, the customer policy configuration can be constructed 
and written on the card by the data owner, while access to the data is performed 
by a third-party data publisher (possibly not completely trusted) . Digital Rights 
Management (DRM) opens another avenue for utilizing digital portable access 
rights that the card can carry (see [2] for an overview of DRM techniques). For 
example, a card can manage access to a large collection of multi-media objects 
while using only a limited local storage space. 

As we attempt to reduce the storage requirements of access policies, we lose 
the ability to represent all possible subsets of the documents in a deterministic 
way. Some documents or subsets of documents might have to share the same 
access policies which means that, given a configuration policy, a customer might 
unintentionally receive access to more documents that was originally requested; 
we refer to these accessible yet not requested (hence not paid for) documents as 
“false positives.” Companies can clearly not charge their customers for such false 
positives, yet they will need to minimize them and the losses they cause. One 
of our main goals is therefore minimizing these additional “false positive costs” 
caused by the limited storage space. To prevent dishonest customers from shar- 
ing information learned about the false positives implicit to their card, we also 
require policy representations to be unique to each card, even if they correspond 
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to the same set of documents. It is the constraints such as this minimization and 
the requirement of unique policy representations that make this problem very 
different from a mere data compression problem. Another (more minor) reason 
why we cannot use compression is that the access policies representations must 
be usable “as is” without uncompressing them first: There is no room in the 
smart card for that, and using server memory to uncompress would throw us 
back into the lack of privacy-preservation that we sought to avoid. 

Our contributions are as follows: (i) For an unstructured collection of doc- 
uments, we give and analyze a scheme that is based on generating a “good” 
random permutation for the documents in a subscription and is suitable for 
any arbitrary subset of the documents. We provide analysis of time complexity 
and cost of the scheme, (ii) For a structured collection of documents, we give a 
scheme similar to the random permutations one which has been modified to ap- 
propriately suit the structured data. We provide analysis of its time complexity. 

This paper is organized as follows: Section 2 provides an overview of prior 
work. Section 3 gives a detailed problem specification and requirements that we 
impose on any solution. In section 4, we describe our solution for an unstructured 
collection of documents and provide efficient algorithms for card generation. 
That section also discusses viability of our scheme and analyzes it with respect 
to our design goals. In section 5, we describe a solution for the (more difficult) 
case of structured data, namely hierarchies, and provide algorithms for them as 
well. Finally, section 6 concludes the paper and gives directions for future work. 



2 Related Work 

Most literature on digital libraries does not explore the problem of access control, 
and many deployed systems nowadays provide only a single or otherwise a few 
inflexible subscription types. Payette and Lagoze [19] recognized this problem 
and proposed a way of solving it by introducing a spectrum of policy enforcement 
models which range from system-wide to object-specific and are capable of pro- 
viding very flexible access control. They, however, give only a general framework 
for specifying policy enforcement mechanisms but do not deal with the problem 
of policy assignment itself. 

Work conducted on XML [23] explores the problem of access control for on- 
line documents. Recently, there has been extensive work on securing access to 
XML documents and using XML as a tool for specifying security policies [6-8, 
13,14]. Bertino et al. [5] use binary strings to represent both customer policy 
configurations and document policies in the third-party publisher model, i.e., the 
model in which the roles of the data owner (who assigns policy configurations to 
its customers) and data publishers (who provide the service and enforce access 
control) are separate. We consider binary strings to be the most space efficient 
and precise way of policy representation and adopt policies in the form of binary 
strings in our work. Bertino et al., however, allocate one bit per policy on the 
assumption that there will be a limited number of different subscription types, 
and their approach becomes inefficient as the data repository grows in size and 
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each customer chooses a customized document subscription set. Therefore, we 
need a new method of representing policy strings so as to be able to store and 
use them on space-limited media. 

The idea of achieving space efficiency at the cost of a small probability of false 
positives was introduced in Bloom [9] . The Bloom filter is a clever randomized 
data structure for concisely representing a set to support approximate member- 
ship queries and is widely used in a broad spectrum of applications ([10, 15, 18], 
to name a few). The queries never result in false negatives (i.e., a query result 
never says that an item is not a member of the set if it, in fact, is a member) 
but might result in false positives with a small probability, which is acceptable 
for many applications. This approach achieves a better space utilization than a 
simpler representation with one hash function, but even in the case of Bloom 
filters, the filter length (which in our case corresponds to the card capacity) 
should be larger than the total number of items in the set n to result in a rea- 
sonable performance. This is not suitable for the problem we are trying to solve 
and therefore the Bloom filter approach cannot be used “as is” for our problem. 
Customized Bloom filters also do not appear to provide acceptable results. 

The problem of policy assignment of minimal cost for a set of homogeneous 
objects within a large data repository was explored in more detail in Bykova and 
Atallah [11], and their problem is very close to the one we are considering. The 
present paper adds two new dimensions to the problem, and ends up with very 
different solutions from [11]: (i) it considers hierarchically structured collections 
of documents, and (ii) it is inherently resilient to collusive attacks by users. In the 
schemes of [11], the policy assignment algorithm is static and the pattern of false 
positives is preserved over all subscription orders and customers. This means that 
once a customer has learned that a particular combination of documents results 
in free access to another document (false positive), he can enable a different 
customer with the same subscription set to also obtain the same false positive. 

Recent techniques for the problem of software license management through 
portable limited-storage card-based access rights [4, 3] do not apply to our prob- 
lem, mainly because we cannot afford to avail ourselves of resources external to 
the card (as was the case in [4, 3]). 

Work on unlinkability and untraceability was started by Chaum [12] and has 
been explored more extensively in recent years. In particular, work on unlinka- 
bility includes anonymous group authentication ([21,17,20,16] and others) and 
unlinkable serial transactions [22] for subscription-based services. Prior work, 
however, does not account for the fact that descriptions of access rights (or ser- 
vice types) may be long and required to be portable, while we describe a scheme 
that combines compact policy representation with transaction unlinkability. 

3 Problem Specification 

The goal is to design an access control scheme for the following specifications: 

1. We are given a large data collection of n items (documents, multimedia 

objects, etc.). 
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2. A customer can request access to any subset of the items in the repository 
(to documents) and is charged according to the set of documents selected. 

3. Access policy configuration is stored on a card of limited capacity of k cells, 
each cell having O(logn) bits such that klogn < n and k Km 1 . 

Below are the properties that guide our design decisions and which we seek in 
any solution: 

1. Low rate of false positives. One of our main goals is to design a scheme 
with a reasonably low rate of false positives meaning that, given a subscrip- 
tion order for to documents, the number of documents m! that the customer 
can unintentionally access for free is bounded by some suitably low value. 
The threshold could be defined as a function of in' , to, and/or n, but in all 
cases must be tolerably low to the service provider. 

2. Transaction untraceability. For customer privacy, transactions should 
not be linked back to the customer who is making a request to access a 
document. 

3. Transaction unlinkability. To provide further customer privacy, two trans- 
actions by a single customer should not be linked together, thus making 
customer profiling impossible. This desired property does not allow us to 
permanently store complete customer orders at the service provider, and it 
is desirable that an order is processed by a separate entity (e.g., the data 
owner) and discarded after it has been processed. 

4. Unforgeability. It should be impossible for an entity other than the legal 
service provider to issue cards that will allow access to the document repos- 
itory. This means that all terminals that read smart cards will ask a smart 
card to present evidence of authenticity of the card (evidence that only the 
service provider can initially issue). 

5. Unique policy representation. In order to lower damage caused by dis- 
honest customers that collaborate to discover as many free documents (false 
positives) as possible, we would like our scheme to be resistant to such be- 
havior. This requires not only that false positives depend on the subscription 
order but they uniquely differ from one request to another even when the set 
of requested documents stays unchanged over multiple orders. With such a 
scheme in place, no correlation between free documents in different orders is 
possible, and any gain to customers who collude is eliminated. All a dishon- 
est customer can do is to try to discover for himself the free documents for 
his particular order, which, combined with some penalty mechanism, can be 
prohibitively inefficient for him to do. 

6. No additional sources of information. All information needed to per- 
form access control verification should be stored on the card itself. No other 
sources of additional storage may be required (such as storage space of a 
home workstation in case of software license management), as there is no 
single place where such information can be stored. 

1 If k > to, the list of selected documents can be explicitly stored on the card. 
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7. Fast access verification. Policy enforcement and access verification should 
be performed in real time and thus expensive computations should be 
avoided. 

8. In-house card generation. The card generation process should be rela- 
tively short. It might be performed on a powerful computer, but within a 
certain time limit. For example, a card can be generated while the customer 
is waiting in a line for the cashier at a bookstore. 

A case can be made for relaxing this last constraint if there exists a scheme 
that requires an extended amount of time for card generation but is much 
more efficient and less costly (compared to other models that obey this con- 
straint) . In this case, a card is delivered to the customer when its processing 
completes (like an order at a pharmacy, that usually involves a wait). 

9. Forward compatibility. An old card does not lose its validity as the repos- 
itory grows. 

4 Solution for Unstructured Data 

We now present our approach for an unstructured collection of documents and 
provide its analysis. In what follows and in the rest of this paper we use to 
the term order to refer to a subscription order of m documents for which the 
customer pays and receives a card that permits access to those documents. We 
use the term request to refer to a request to access a document by a customer 
who already possesses a card and wishes to view a document. 

Our solution consists of generating random permutations of documents in- 
cluded into an order until they are clustered in such a way that the cost (in terms 
of false positives) of storing the permuted documents on a smart card is below a 
certain threshold (defined later). After generating the subsequent permutation 
of the documents, we run the evaluation algorithm to compute the cost of the 
optimal solution for that particular set of permuted documents. If the cost is 
acceptable, the algorithm terminates and the solution is written to the card; 
and a new permutation is generated and tested otherwise. Information written 
on the card includes the data that can be used to reproduce the permutation, as 
well as a number of document intervals that indicate access to which documents 
should be granted. The intervals include all documents from the subscription 
order and as few additional documents (i.e., not from the original order) as pos- 
sible. Consider an oversimplified example where the repository has a size of 10, 
our card can store 2 intervals, and we receive a customer subscription order for 
documents 1, 5, 7, and 9. Suppose that after permuting the documents we obtain 
set {2, 3, 6, 8}, so the best option in this case is to use intervals 2-3 and 6-8 for 
storing the set on the card. The cost of a solution is computed as the number of 
false positives (in the example above, the cost of the permutation is equal to 1). 

Both the random permutation seed and the document intervals are a subject 
to the card’s storage constraints. Since a smart card’s capacity is 0(fclog?r), we 
can use it to store 0(k) numbers within the range {1, . . ., n}, or k intervals. The 
permutation seed can be up to O(fclogn) bits long. 
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Every interval included in a solution can be either positive, i.e. , specifies a 
range of documents to which access should be granted, or negative, i.e., specifies a 
range of documents to which access should be denied. In the case of unstructured 
data, negative ranges do not improve the result by decreasing the cost of a 
solution, as the lemma below shows (but, as we show later on, they are necessary 
for structured data). 

Lemma 1. For unstructured data, for every solution of cost C expressed using 
both positive and negative ranges there is a solution of cost C' expressed using 
only positive ranges, such that C' < C. 

Proof. Omitted due to space limitations and can be found in [1]. □ 

In the rest of this section, we use r = {n, . . ., r m } to compactly represent a 
customer order of m documents. Each r, uniquely identifies a single document 
in the repository (i.e., it is a number in the range {1, . . .,n}) and all rf s are 
sorted in increasing order such that Vi < ri+ 1 for 1 < i < in. We first present 
an algorithm for producing a suitable encoding to be placed on a card (given 
in section 4.1). This is a high level algorithm that tries different solutions until 
the conditions corresponding to the policies are satisfied. It uses two additional 
algorithms as its subroutines: an algorithm to produce a permutation (discussed 
in section 4.3) and a linear-time algorithm to compute a cost of a permutation 
(given in section 4.2). We give asymptotic bounds of our solution and also dis- 
cuss possibilities for generating a random permutation. Later in this section we 
explore this approach in terms of its economic feasibility (section 4.5), and the 
next section (section 5) provides an extension to it that covers structured data. 



4.1 Algorithm for Producing a Solution 

To find a suitable encoding for a customer order, we might have to try numerous 
permutations of n elements until one that satisfied certain criteria is found. These 
criteria can be expressed in terms of the cost of a solution (e.g., the number of 
false positives for the permutation produced falls below a certain threshold) , in 
terms of a time interval during which a solution should be computed, or some 
other requirements. These rules are examined in more detail in section 4.5. 

The algorithm we provide below takes a subscription order of m documents 
and a set of rules, which tell the algorithm to stop when they are satisfied. It 
runs until a suitable solution is found and returns an encoding to be stored on a 
smart card, which consists of a permutation seed s and k intervals that optimally 
represent the requested documents r. 

Input: The repository size n, a customer order of in documents r = {ri, . . ., r m }, 
and a set of stopping criteria r = {ri, . . ., r*}. 

Output: A seed s for generating a permutation and k intervals to be stored on 
a smart card. 
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Algorithm 1: 

1. Seed the permutation algorithm with a random number s. 

2. Permute the m documents to get pi = ir s (ri) for each document r* € r. 

3. Sort the p.j’s (0(mlog(m)) time). 

4. Run the evaluation algorithm to find the cost of the permutation ( 0{m ) 
time, per section 4.2). 

5. Apply the evaluation rules r to the result: if a sufficient subset t' C t of 
them, 1 < \t'\ <t, is satisfied, output the solution. Otherwise go to step (1). 

The asymptotic bound of a single run of the algorithm depends on the choice 
of the permutation function (discussed in section 4.3). The total running time 
of the algorithm depends on the evaluation criteria and cannot be expressed 
as a function of the input parameters in the general case. The upper bound 
of the algorithm is 0(n k ) loop invocations, but typical values are lower. This 
time is constrained by the space available for storing a random seed s: there are 
O(2 fe log ") = 0(n k ) possible seed values that can be stored on the card. 

4.2 Algorithm for Computing the Cost of a Permutation 

The algorithm given in this section corresponds to step 4 of Algorithm 1. As the 
input, it expects a set of m distinct permuted documents sorted in increasing 
order p = {pi, . . ., p m } and computes k disjoint intervals of the minimal cost 
that include all of the Pi s and as few other documents as possible. Our algorithm 
works by computing distances between the documents in the set p and excluding 
the largest k — 1 of them, so that the overall cost of the covering is minimized. 

Input: The repository size n and a sorted set of in elements p = {p±, . . ., p m }. 

Output: k disjoint intervals that contain all of the p,;’ s and as few other elements 
as possible. 

Algorithm 2: 

1. Let x be the value of pi, y the value of p m . Compute ci, . . . , c m _i, where Ci 
is the number of documents between the elements pi and Pi+i not including 
either p, or Pi+\. For example, c\ is computed as c\ = P 2 — pi — 1. 

2. In 0(m) time select a (k — l) th largest among ci, . . . , c m _i (say it is Cj ). 

3. In 0(m) time go through ci, . . . , c m _i and choose k — 2 entries that are > Cj. 
Those entries and Cj correspond to the k — 1 “gaps” between the optimal k 
intervals, i.e., they define the optimal k intervals. 

Note that the “cost” of the solution is C = Ci + ... + c m _i— (sum of the largest 
k — 1 Cj’s), which also proves the correctness of the algorithm because c\ + . . . + 
c m - 1 is the number of documents between positions x and y other than the 
elements of p, and the best that can be done is by “excluding” the large Cj’s 
from the chosen intervals. It is also clear that the algorithm runs in 0{m) time 
since every step (1) — (3) runs in 0(m) time. 
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The actual monetary damage caused by the false positives might not be 
linear in the number of false positives, but instead could be some other (possibly 
arbitrary) function specified by the service provider. In this case, however, the 
algorithm will still produce correct results, and the cost function itself can be 
incorporated into the set of stopping rules r, as we explain in section 4.5. 

4.3 Algorithms for Producing a Permutation 

There are several well-known methods for computing random permutations. Any 
method that has the following properties should be suitable for our approach: 

— The permutation can be specified by a seed, i.e., given a seed value, the 
permutation could be reproduced from it. Recall that the set of storable 
seeds does not “access” all possible permutations of n elements, but only a 
random subset of 0(n k ) of these permutations 2 . This turns out to be enough 
in practical situations (cf. discussion in section 4.5). 

— The algorithm allows concurrent computing of a mapping for a single ele- 
ment. It is then not necessary to compute the permutation mappings for 
0(n ) documents of the data collection at the access verification time just 
to obtain one of them that we are interested in. We can also directly com- 
pute the mappings for the m documents included in the order during card 
creation time without having to generate all of the mappings. 

For discussion and an example of a permutation algorithm satisfying these re- 
quirements (omitted from this paper due to space constraints) see [1]. 

4.4 Card Operation 

The algorithms presented above describe card generation, but they imply a cor- 
responding operational use of the card, which we sketch here. We assume that 
the card is tamper-resistant, so that the unforgeability constraint is satisfied; 
techniques for achieving tamper-resistance can be found in the literature and 
are beyond the scope of this paper. Also, the card must authenticate itself, e.g., 
by sharing secret keys with the server (a secret key is not unique to a card) 
and/or using other known means of low-computation anonymous authentication 
suitable for smart cards. Policy enforcement by using the policy encoding placed 
on a card is performed as follows. Given a document index i, access to which 
is being requested from the server, and a card that stores a permutation seed s 
and k intervals, the verification process takes the following steps: 

— The card computes a permuted value of i as pi = tt s (i) ■ 

— The card searches its k intervals for pi to determine whether pi is covered 
by one of them. Since we can sort all intervals before storing them on the 
card, this step can be done in 0(log k ) time using binary search. 

2 In cases where a sequence of random numbers is needed by the permutation algo- 
rithm, the seed can be used to initialize a pseudo-random number generator. 
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— If pi is covered by one of the k intervals, the card requests the document i 
from the server. Otherwise, it notifies the user about access denial. 

One can see from the above that the untraceability and unlinkability constraints 
of our design (goals (2) and (3) in section 3) are satisfied: Each card anonymously 
authenticates itself and does not send any information to server that might 
happen to be unique and used to link two transactions together. The card also 
does not require any additional sources of information to enforce proper access 
control (goal (6)) and uses an efficient method for such enforcement (goal (7)). 

4.5 Economic Analysis 

This section analyzes the practicability of the scheme described above. We ex- 
plore the possibility of using the scheme under different settings, and examine 
what policies a service provider might specify in order to use the model as ef- 
ficiently as possible. We also make the “stopping criteria” mentioned in the 
previous section that govern permutation selection process more precise. 

Values of interest. As input, we are given the size of data repository n and 
the number of documents in a customer order m 3 . Other parameters of use for 
determining what an acceptable cost is are: 

Ccard(jTi) - price a customer pays for an order of to documents, which can be a 
possibly arbitrary function of the documents that comprise the order. 
t(m) - maximum number of requests to documents access to which was denied. 
Each card can count the number of attempts to view documents that were 
denied. When a customer requests a document not bound to the card, not 
only is the access denied, but also the permitted limit of unsuccessful requests 
is decremented. After t such attempts, the count reaches zero and the card 
is self-invalidated (i.e. , the policy here is “t strikes and you are out”). This 
is to prevent customers from probing their cards for false positives, e.g., by 
trying all documents in the data repository. With this mechanism in place, 
each customer should be informed about t at the time of purchasing the card 
and should be given an explicit list of the documents included into his order. 
m'(n , to) - number of documents that come for free with a card (i.e., the “false 
positives”). This value is computed as a by-product of Algorithm 2, and 
implicitly reflects the card’s capacity k. 

n'(n, to) - number of documents in which an attacker is interested (other than 
the to he ordered) . This value is useful in measuring the attacker’s economic 
gain in case of discovering free accesses to documents. In the worst case, any 
free document can be valuable to the attacker. In the best case, the attacker 
has zero interest in anything outside the to documents he ordered. 

3 In reality, we have the entire order r = {r i, . . ., r m } as an input parameter. For 
simplicity of presentation we assume that the cost of each document is the same 
and to can be treated as a sufficient representation of the set. Similar analysis can 
be carried out when document prices differ from one to another. Then each derived 
value that takes m as a parameter can be computed as a function of the set r itself. 
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Policy alternatives. Each service provider deploying this approach might have 
one or more varying criteria that define an acceptable “false positives” cost of a 
card. Below we list policies that can be used during card generation to govern 
execution of Algorithm 1: 

1. Threshold for the number of false positives m! a card contains. This 

policy might dictate that the absolute value of the number itself is con- 
strained (e.g., /(to 7 ) < m' max ), or its ratio to the number of documents in 
the repository or to the number of documents in the order is constrained by 
some threshold (e.g., / < m' max or / (7^) < m' max , where f(x), 

g(x) and h(x) are arbitrary functions of argument x). We may consider a 
policy that lists several conditions but requires satisfying a subset of them. 

2. Constraints on the gain from cheating. In this type of policies, we 
perform analysis of cheating in terms of the attacker’s loss vs. his gain after 
attempting to access t' out of the n — m documents not included in his 
order. Suppose that t' > t. The expected gain from the attack in this case 
is the difference between the cost of the documents acquired for free from 
the list of n' documents of interest, and the cost of losing the card due to 
this behavior. The gain is then computed as the probability of successfully 
getting a free access to a document multiplied by the document cost, while 
the loss is computed as the probability of losing the card multiplied by the 
cost of the card: 



^ c ( m ') n ' „ ^ 
h/yQCL'lTl) — t • C-card' 



n — m n — m 



t'c(m')n' 
(n — m) 2 



Ccard 



t 

E 




t" t'—t" 

q p 



where c(m') is the cost of having access to m! documents computed according 
to some pricing function. Here p = -3 — specifies the probability of not being 
caught, while q = 1 — p is the probability of begin caught. 

Similarly, we can compute the expected gain when the number of unautho- 
rized attempts is kept below the maximum, i.e., t! < t. In this case, the 
expected gain is computed based on the probability of getting free access, 
and there is no loss for the attacker: 



E(gain) ~ t’ 



c(m') 



n — m n — m 



(1) 



In the worst-case scenario, the attacker might be interested in and benefit 
from any document acquired for free, i.e., n' = n — m, and we can also 
assume that t 1 — t, to maximize the gain. Then equation (1) becomes: 



E(gain) ~ t ■ 



c{m!) 
n — to 



To keep the attacker’s gain low, we might constrain the value by some thresh- 
old. Equation (2) gives such a constraint where the coefficient a plays the 
role of a threshold value that keeps the card’s loss within a specified bound. 



t ■ c(m') 

^ Q: * C-card, 



n — to 



(2) 
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3. Timeout. Under some policies, the card creation process might have to be 
carried within a certain period of time. Then if no suitable permutation is 
found during that interval, the best permutation tried so far is used. 

Based on the policies listed above, we create a set of stopping criteria by possibly 
combining two or more conditions in such a way that the card produced always 
satisfies the card issuer. A sample policy that we provide in [1] and which is 
omitted here shows that our model can accommodate a wide range of reasonable 
policies without requiring lengthy and heavy computations for card creation. 

4.6 Analysis of the Approach 

Our proposed solution is compliant with the desired design properties and min- 
imizes the total number of false positives bound to a card. More precisely, the 
design of our scheme ensures that goals (2)-(7) listed in section 3 are met. Goal 
(9) is achieved by using unique policy representations that “capture” the state 
of the repository at the time of card generation and are self-contained. As we 
add more documents to the repository, the old cards can still be used, for in- 
stance, to reproduce permutations of the documents from the previous state of 
the repository and provide access to the documents from customer subscriptions. 

Our permutation approach also guarantees a low rate of false positives (goal 
(1)), especially if this constraint is a part of the algorithm’s termination criteria. 
Depending on the policies enforced by the service provider, the scheme can be 
evaluated on its time requirements, i.e. , how long, on average, it might take to 
generate a card. Thus, it might or might not comply with goal (8). If the service 
provider employs a policy that includes a timeout, then in-house card generation 
is always achievable. If, on the other hand, he places more weight on minimizing 
the number of false positives, then this constraint might be relaxed. 

5 Structured Data 

This section explores the possibility of extending our approach to structured 
data such as trees. In many data repositories documents are stored in hierarchies, 
which makes it possible to utilize the repository structure and reduce the number 
of false positives in the solution computed. 

5.1 Tree Structure 

Suppose we are given a tree of n documents and a subscription order of m doc- 
uments. The card’s capacity is still O(klogn) bits or 0(k) records, but in this 
case each record, in addition to two numbers that specify a range, might contain 
some other information. We consider both positive and negative ranges for en- 
coding documents on a card. We also consider two different types of placements: 
When a positive or negative assignment is placed on a node v, it can either affect 
the entire subtree rooted at v - we denote this case as recursive - or affect only 
the node on which the assignment is placed - we denote this assignment as local. 
The case where a depth parameter can be stored at v, so as to limit the depth 
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of the subtree included, will be considered later in this section (such a depth 
parameter limits the depth of the nodes influenced by that range, so that nodes 
that are farther than that depth below v are not affected). When two ranges 
overlap, the more specific (= lower in the tree) wins. Finally, the word “cost” 
in the rest of this section is used as “cost of the false positives” (not the dollar 
cost paid by the customer). 

Throughout our algorithm, we use the following notations. For each node 
v, a cost of the subtree rooted at v can be computed in two different contexts: 
positive and negative. If a node v is evaluated in the positive context (the cost 
is denoted by C + (u)), this means that a positive range has been specified at its 
parent or above the parent in the tree. In this case, if no new range is placed 
at v or below, the entire subtree will be included in the final solution. In this 
context, only negative ranges placed at v or below have effect. Similarly, if a 
node v is evaluated in the negative context (the cost is denoted by then 

it means that a negative range has been specified at its parent or above, and by 
default the entire subtree will be excluded from the solution. If no context has 
been specified, we start in the negative context and assume that no nodes are 
included in the solution unless explicitly specified. 

As with any dynamic programming approach, the cost of an optimal solution 
at any given node v needs to be calculated for a number of cases that differ in 
the number of encoding slots available. Thus, we use C + (v, j ) and C~(v, j) to 
mean the cost of encoding the tree rooted at v in positive and negative contexts, 
respectively, with j storage slots available, where 0 < j < k. 

Here we provide an algorithm for binary trees, which can naturally be ex- 
tended to work for more general t-ary trees with t > 2. When working with 
binary trees, we typically use nodes u and w as child nodes of v. In order to 
compute a cost of a subtree rooted at node v, we need to consider two cases: 
computation of C + {v, j) and C~(v, j), which we describe subsequently. Let 
us consider non-leaf nodes first and then proceed with leaves of the tree. Time 
complexity of the algorithm for both binary and arbitrary f-ary trees is given 
later in this section. 

Non-leaf Nodes 

Case of C + (v, j): When the cost is computed in the positive context, we need 
to consider three different cases. 

Case 1: No record is placed at v. Then C + (v, j) is computed as: 

C + (v, j ) = min{C' + (u, i) + C + (w,j — i) + c±\ 0 < i < j}, 
where c\ is 1 if v is not in the order, and 0 otherwise. 

Case 2: A negative recursive record is placed at v. This case cannot happen 
if v is included in the order. We compute the value as: 

C + (v, j) = min{C _ (u, i) + C~(w,j — i — 1)| 0 < i < j — 1}. 
Case 3: A negative local record is placed at v. This case also cannot happen 
if v is included in the order. To compute C + (v, j), we use: 

C + (v, j) = min{(7 + (u, i) + C + (w, j — i — 1)| 0 < i < j — 1} 
After computing all of the values above, C + (v, j) is assigned the minimum 
of the three values. 
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Case of C ( v , j): For the negative context there are also three possible cases. 
Case 1: No record is placed at v. This case cannot happen if v is included 
in the order. The formula for computing C~ (v , j ) is as follows: 

C~(v, j ) = min{C - (u, i) + C~(w,j — «)| 0 < * < j} 

Case 2: A positive recursive record is placed at v. In the formula below, ci 
is set to 1 if v was not included in the order, and it is 0 otherwise: 

C~(v, j) = min{C + (u, i) + C + (w,j — i — 1) + Ci | 0 < i < j} 
Case 3: A positive local record is placed at v. This case normally does not 
happen when v is not in the order. To compute C~(v , j), we use: 

C~(v, j ) = min{(7 + (u, i) + C + (w,j — i — 1) + ci|0 < i < j} 
Analogously to the previous case, C~ ( v , j ) receives the value of the minimum 
of the three values computed in these cases. 

Leaf Nodes 

Case of C + (v, j): If j > 0 and v is not in the order, then we can exclude the 
node from the solution by placing a negative record at it. In this case, the 
cost C + (v, j) is 0. Otherwise, no record can be placed at the node; the cost 
C + (v, j ) is 0 if v is included in the order, and 1 otherwise. 

Case of C~(v, j): If j = 0 and v is included in the order, then C~(v , j) should 
be set to +oo to prevent this configuration from being chosen, as it does not 
satisfy the algorithm’s requirements. In all other cases, C~(v, j) is 0. 

Complexity analysis. To compute the cost of an order, we use the above 
rules to compute C~ (root, k). Every documents i included in the order is taken 
into account at the time of computing the cost of the subtree rooted at node 
i. For a tree of n documents and card’s capacity of k slots, this algorithm runs 
in 0(n ■ k 2 ) time for binary trees. For arbitrary f-ary trees the algorithm gives 
0{n ■ k *) time. 

An extension to records of variable depth. Let h be the height of the tree. 
The dynamic programming approach we have can be extended to include all 
possible heights for each node v. This means that when we compute a cost of a 
subtree C + (v, j) or C~(v, j), we now can specify the depth of the record placed 
at v, which can vary from 1 to the height of the subtree rooted at v. In this case, 
there is no need to distinguish between local and recursive nodes any more, as 
they are replaced by a single record in which the desired depth is specified. We 
do not include the algorithm’s details in the paper due to space considerations. 

For a f-ary tree, this modification implies a factor of h (but not h 4 ) because 
any record placed at the parent covers one child’s subtree at same depth as for 
another child’s subtree. Thus, this adds an extra h to the time complexity. 

Note. Currently, the tree algorithm is static because no permutation for the 
tree structure is used. To make this scheme viable, more research needs to be 
done to make each solution unique by means other than permutation, e.g., false 
positives are randomized for each order but are kept below a certain threshold. 
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6 Conclusions and Future Work 

In this work we presented a problem of fine-grained document access control 
under space restrictions. Our solution preserves customer anonymity, uses effi- 
cient algorithms to perform access control, and at the same time minimizes loss 
caused by policy compression. We gave a full-grown solution for unstructured 
data and provided a method for evaluating the cost of a solution for hierarchi- 
cally structured repositories. Future directions include providing more thorough 
(possibly empirical) analysis of our scheme and building a solid framework for 
hierarchical data. 

This work can be extended to cover other types of structured data. In partic- 
ular, grids can be of practical interest in the context of Geographic Information 
Systems (GIS) subscriptions where land is partitioned into cells of a standard 
size. A customer can subscribe to a cell and receive information about tempera- 
ture, humidity, precipitation, and other meteorological data relevant to the area. 
Each subscriber selects cells of his interest and pays to get access to a customized 
area of his choice. Access control is enforced through the use of cheap cards of 
limited capacity. An algorithm to compute the optimal cost of a subscription in 
this case will model geometric algorithms for approximate representation of a 
polygon. A difference from the standard approximation methods here is that the 
requested area must be included entirely in the card, while the number of other 
cells stored on the card should be minimized. 
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Abstract. Distributed systems make increasing use of encrypted channels to en- 
able confidential communication. While non-interference provides suitable means 
to investigate the flow of information within distributed systems, it has proved to 
be rather difficult to capture the notion of encrypted channels in such a frame- 
work. In this paper, we extend the framework Maks for possibilistic information 
flow in order to distinguish between the information flow due to the fact that a 
message has been sent and the flow that is due to the actual content of a mes- 
sage. We introduce an equivalence relation on observable events to identify those 
events an observer cannot distinguish and provide reduction techniques that en- 
able us to prove the security of such systems with the help of exisiting unwinding 
techniques. 



1 Introduction 

Information flow control (e.g. [7, 16, 11,5]) relies on the idea of modeling confiden- 
tiality (and dually: privacy) of data as restrictions on the flow of information between 
different domains of a system. Starting with the work of Goguen and Meseguer [2, 3], 
the restrictions on information flow for deterministic systems have been formalized as 
independence properties between actions and observations of domains: Alice’s actions 
are confidential wrt. Charly if his observations are independent of her actions, i.e. if 
Alice changes her actions this does not cause different observations for Charly. In this 
case Alice is said to be non-interfering with Charly. For non-deterministic systems, the 
intuition works backwards: Alice is possibilistically non-interfering with Charly if the 
observations of Charly can be explained by several, different behaviors of Alice. Thus, 
Charly’s observation does not reveal which actions Alice has chosen. 

Consider, for example, that Alice has stored a personal identification number (PIN) 
on her computer and suppose Charly is monitoring her internet connections. Alice’s PIN 
is confidential for Charly if his observations of Alice’s actions are explicable with both, 
Alice’s actual PIN and another arbitrary PIN. If we assume that Charly can only observe 
messages going from and to Alice’s computer then Alice’s PIN is secure if no message 
leaving her computer depends on the PIN. However, once Alice uses her PIN when 
communicating with her bank, Charly can observe a message which depends on Alice’s 
PIN; i.e. using a different PIN would result in a different observable message. Hence, 
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analyzing the security of this scenario with the help of strict information flow control 
techniques would reveal a leak of information. In practice however, Charly is not able 
to infer the PIN if we assume perfect cryptography. There are specialized techniques to 
investigate and verify properties of cryptographic protocols (e.g. [8, 1,9]). They inves- 
tigate how an attacker can deduce secret information (only) by analyzing, intercepting 
or forging messages and assume fixed capabilities of an attacker (Dolev-Yao model). 

In the past intransitive information flow techniques (cf. [ 12, 10, 13]) have been ad- 
vocated to deal with modeling encrypted communications. Encryption is considered as 
an explicit downgrading that renders the confidential message into a visible (encrypted) 
one. However, while this approach simply assumes that Charly cannot infer the PIN by 
observing visible encrypted messages, our approach will allow us to prove this prop- 
erty provided that Charly cannot, in fact, distinguish different encrypted messages. In 
particular, we will be able to detect security leakages arising from traffic analysis. 

Encryption, or more generally one-way functions, have been studied in the context 
of language based security, e.g. [4], [ 15]. These approaches provide assumptions about 
the probabilistic properties of encryption. They give syntactic conditions for programs 
that ensure there is no probabilistic information flow from the initial values of high vari- 
ables to the final values of low variables, once the program has been run. In contrast, we 
are interested in what an observer can learn from messages that are exchanged between 
parties in the system in an ongoing computation, where the observer may or may not be 
one of the parties. 

We base our techniques on the framework Maks [6] developed to specify and ver- 
ify possibilistic information flow policies. In this paper we extend the framework by 
techniques which enable its application also when specifying and verifying the security 
of systems containing encrypted communication. They allow us to model the prop- 
erty that an observer cannot distinguish different encrypted messages without knowing 
the key. Regardless whether Alice sends the encrypted 4711 or the encrypted 4712 to 
her bank, Charly will see a bit-stream. He might suspect to see an encrypted PIN but 
(unless he knows the key) he has no information which encrypted PIN he sees. Both 
events cause the same flow of information for Charly: some encrypted PIN has been 
sent to the bank. In the formal analysis of such a system we will identify these events 
when inspecting the security of the system from Charly’s point of view by introducing 
equivalence classes of events. We assume that Charly is not able to distinguish different 
representatives within an equivalence class by presuming perfect cryptography. 

After a brief introduction to the framework Maks in Sect. 2, we illustrate how 
generic security predicates (defined in Maks) are adjusted to the new setting. In Sect. 3 
we exemplify this approach by translating two basic security predicates into new secu- 
rity predicates and show that we can reduce these predicates to the original predicates 
for a transformed system. This allows us to make use of the original verification tech- 
niques, i.e. the unwinding theorems, to verify these predicates as presented in Sect. 4. 



2 Preliminaries 

In this section we will introduce concepts and notation and briefly present the parts of 
Maks [6] that we use in this paper. Systems are described by an event system ES = 
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(E,I, O. Tr), which consists of a set E of events, two sets 1.0 C E of input and output 
events, respectively, and the set Tr C 2 e * of possible system traces. The set Tr of finite 
sequences of events is required to be closed under prefixes, i.e. a. (3 £ Tr implies a € Tr, 
where we write a. (3 for the sequence resulting from concatenating the sequences a and 
(3. We write ,e„) for the sequence consisting of the events e\,... ,e n . 

In Maks, security properties are closure properties of sets of possible system traces 
(parametrized over an arbitrary set of events E) that are described by a conjunction of 
basic security predicates (BSPs) and a view. A view V = (V.N.C) for £ is a disjoint, 
exhaustive partition of E and formalises an observer or attacker: C comprises those 
events whose occurrence or non-occurrence should be confidential for the observer, V 
represents those events that are directly visible for the observer, and N are all other 
events. An event system satisfies a security property if each BSP holds for the view and 
the set of possible system traces. BSPs that we will be using as examples in this paper 
are BSD and BSIA 1 defined as 

BSD v {Tr) <s=> [Va,(3 e E*,c£C. ((3,(c) .a e 7rAa| c = () (1) 

=> 3a' € E*,t? £ Tr. ((3. a' = %' Aa'| v = a| v A a'| c = ()))] 

BSIA P v {Tr) [Va, (3 e£*,c£C. ((3. a £ 7r Aa| c = () AAdm p ^(Tr, (3,c) (2) 

=> 3a' £ E* £ Tr. ((3. (c) .a' = x' Aa'| v = a| v Aa'| c = ()))] 

where x\ D is the projection of T to the events in D C E. Adm p ^(Tr,^,c) holds if the 
confidential event c is admissible after the trace (3, when only events in the set p('P') 
are considered, i.e. for all functions p from views over E to sets of events, we have 
V(3 £ E* ,c £ C. Adm p ^ ; (Tr,$,c) ^ 3y£ E*. y. (c) € Tr Ay| pW = p| p(V) . 

A state-event system SES = (E,1, 0,5, so, T) consists of a set of events E, in- and 
output events I and O, a set of states S, an initial state so £ S, and a transition relation 
T C S x E x S. T is required to be a partial function on S x E, i.e. for each given state 
s and for each given event e there is at most one successor state s' for which T(s.e.s'), 
which we also write as s — e -^r s'. We also write s — >t s' if a = () and s' = s or a = (e) .(3 

and there is a state s" such that s — e -^r s" and s" — s', and say that a is enabled in s, 
that s' is reachable from s, and write reachable(SES , s') if s' is reachable from so- SES = 
(£,/, 0,S,sq,T) induces ES = (E. I.O. Tr) iff Tr= {a | a enabled in so for SES} . 

Maks provides unwinding conditions that allow the local verification of BSPs. As 
examples for unwinding theorems [6], we have 

- lrf^/(SES, k) and osc^(SES, x) imply BSDtpiTr) and 

- lrbe p q y(SES , k) and osc^(SES, x) imply BSIA p ,(Tr ) 

where k is an arbitrary relation over S x S and 

osc^>(SES, k) Vsi,Si,S 2 £ S,e £ E\C. (3) 

reachable(SES , si ) A reachable(SES, s\ ) A Sj — ^ s l 2 A sj k si 
=> 3s 2 £ S, 8 £ ( E\C )*. S|y = (e) \v A si — S 2 A s' 2 x si 

1 BSD stands for backwards-strict deletion and BSIA for backwards-strict insertion of admissi- 
ble events. 
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lrf^/(SES,K) •<=>■ Vs,/ £ S,c € C. reachcible(SES,s) As ~^>t s' =>■ s' tx s (4) 
lrbe\,{SES , x ) <s=> Vs G 5, c G C. (5) 

reachable(SES,s) AEn^SESiSjC) => 3/ £ S. s — s' As k s' , 

where similarly to Adm\ y, models that the event c is enabled in state s: 

\/s eS,cGC. En P r (SES,s,c) <^> 3(3, ye E*,s,s' e 5. so = P| p (<p) Aso — ^ 

sAs-^-s s'. 

3 Non-interference Modulo 

In Maks a basic security predicate 0 is defined as a closure property on sets of traces. 
The idea behind using closure properties is the following. Suppose an attacker observes 
the visible events of a system run (while the confidential ones are invisible). We as- 
sume that attackers know all possible system runs, thus they know the set of all possible 
system runs which might have caused the observed behavior. In particular, an attacker 
knows the confidential events occurring in these possible runs, and can try to deduce 
constraints on the confidential events that must have occurred in the observed run. Infor- 
mation flow happens if the attacker is able to deduce knowledge about the occurrence 
or non-occurrence of confidential events beyond the knowledge already deducible from 
knowing the system specification, by inspecting the set of runs that are consistent with 
the observed behavior. A system is secure if this set of runs contains a sufficient variety 
of different possible sequences of confidential events. Closure properties are used to de- 
scribe this variety because, intuitively, they demand that if there is a possible system run 
X satisfying some precondition, then there is also another possible system run x' such 
that the attacker cannot distinguish both. Suppose x' in turn satisfies the precondition. 
Then we can inductively deduce the existence of another trace x" and so on. To assess 
the security of a system satisfying some basic security predicates we need to understand 
the guaranteed variance of traces wrt. confidential events being in the transitive closure 
{x,x',x", . . .} of an observed system run x. 

3.1 An Example 

As an example suppose, Alice uses e-banking, and she is required to change her autho- 
rization PIN periodically. For this purpose she uses a web interface to edit the PIN and 
to send it to the bank via some encrypted channel. The bank checks the new PIN and ac- 
cepts it if it has been changed and rejects it if the new PIN is identical to the old one. We 
simplify this example by assuming that — 1 is the old PIN. Figure 1 illustrates the pos- 
sible traces of the corresponding system. The set V of visible events consists of all the 
messages that Alice exchanges with her bank: V = {Send(enc(/)) | i £ NU {—1}} U 
{Repl(enc(acc)),Repl(enc(rej))}. C = {SetPIN(f) | i € N} is the set of confiden- 
tial events that represent Alice changing her PIN to i ^ — 1 . The set of non-visible but 
deducible events N is empty. Let us now discuss three different scenarios depending on 
how the bank reacts to Alice’s change requests. 
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Send(enc(/)) Repl(enc(acc)) 




Fig. 1. Traces of Examples 1, 2, and 3 



Example 1. Suppose the bank responds to all attempts of Alice to change her PIN. Thus 
the set of traces Tr is the smallest set with (SetPIN(/),Send(enc(/)),Repl(enc(acc))) 
£ Tr for all i € N, (Send(enc(— l)),Repl(enc(rej))) £ Tr, and Tr is closed under 
prefixes. Since in all cases Charly only sees two encrypted messages between Alice and 
her bank, he can never say whether Alice has changed her PIN. However, neither BSDp 
nor BSIA p t , (with p('P') —V) hold for the system and the view T / ' = ( V,N,C ). Consider 
for instance BSD: if we remove the confidential event SetPIN(5) from the admissible 
trace (SetPIN(5), Send(enc(5))) we end up in a non-admissible trace (Send(enc(5))). 

Example 2. Suppose now that the bank only rejects Alice’s message Send(enc(— 1)) 
and does not answer to any other message. Then the non-occurrence of a confidential 
event SetPIN(i) is leaked, even if all the messages are encrypted: when Charly sees the 
second visible event, which is the encrypted reject, he knows that Alice has not changed 
her PIN. 

Example 3. Finally suppose that the bank only acknowledges correct PINs by sending 
only Repl(enc(acc)) but no Repl(enc(rej))-messages, then the occurrence of a con- 
fidential event SetPIN(i) is leaked. If Charly sees the second visible event, he knows 
that Alice has changed her PIN. 

In the following we will use these three scenarios as running examples to illustrate our 
approach. 

3.2 Definition of BSP Modulo « 

While Maks allows arbitrary closure properties as BSPs, all concrete instances are 
given in a more constructive way: they describe in a declarative way how to manipulate 
confidential events of the system run x in order to obtain the confidential events of the 
postulated run x' . Our examples, BSD and BSIA, simply add or remove, respectively, 
a single confidential event in x to obtain x! ( perturbation ), and they additionally allow 
the adjustment of the non-visible events of x ( corrections ) to obtain a new possible 
trace x' . Since we are only interested in traces which are consistent with a particular 
observed system behavior, x and x' have to cause the same observation for the attacker, 

i.e. X|y = X | y. 

BSPs of this form can be represented with the help of two predicates, P and Q. P is 
used to select those runs x that imply the existence of other runs x' . Q is used to describe 
or analyze the form of the postulated x' . We use y and z as technical means to refer to 
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structural information about the related traces T and x' obtained by the predicates P and 
Q. Based on this structural information, the two functions comp x and comp x i construct 
or synthesize the traces from these substructures. Technically, all concrete BSPs in [5] 
satisfy the following pattern: 

0^(7r) 4==> Vy £ Y . comp x (y) £ Tr AP(y) (6) 

=>• 3 z £ Z. comp x i(y,z ) £ TrAQ(y,z ) 

Roughly speaking, the basic security predicates 0 requires that if there is a trace T = 
comp x (j) in Tr satisfying some precondition P(j), then there is also some trace x' = 
comp x i(y,z ) in Tr satisfying some postcondition Q{y,z)- 

3.3 Event Classes 

We formalize the idea of non-distinguishable events by introducing an equivalence re- 
lation « on visible events that identifies exactly those visible events that an observer 
cannot distinguish. In our examples we choose Send(enc(/)) « Send(enc(y)) for all 
i,j £ NU{— 1} and Repl(enc(acc)) « Repl(enc(rej)). Furthermore, our observer is 
also not able to identify two encrypted messages having the same content. Technically, 
this requirement can be obtained by implementing the encryption by using a so-called 
“salt”. Then, encrypting the same message twice results in different ciphertexts. 

We extend « to the set E of events in the canonical way and write e~ for the 
equivalence class of an event e. We also extend this notation to other sets that are 
uniformly constructed in terms of the set E, e.g. if (e\ £ E* we write = 
(ei~, . . . ,e n ~) £ ( E~)* = Et for the sequence consisting of the equivalence classes 
of the events that occurred in T and similarly for tuples (e\, . . . ,e„) a = (ei~, . . . ,e n ~ ) 
and sets {e \ , . . . ,e„}~ = {e\~, . . . ,e„~}. is always a view over E~ given by 1Z~ = 
(V^Cs, Wa) because « only identifies events in V. Let CO C ( E ~ )*, then by abuse of 
notation we write a € co for a- : = co. 

As mentioned before, the concrete BSPs in [5] are based on a fixed semantics of 
visibility. The closure property will guarantee the existence of different traces having 
identical sequences of visible events. However, this semantics is too restrictive for our 
purposes since we assume that an observer cannot distinguish between visible events in 
the same equivalence class. Hence, we adjust the definitions of BSPs in a uniform way 
to be in line with the changed semantics of visibility. First, a BSP 0 requires for all 
system traces T that some constructed sequence x' is also a system trace. While using 
the same functions comp x and comp x i to synthesize x and x' as in the original BSP, we 
weaken the requirements that x' be a system trace: we only require that there is a system 
trace x" that is equivalent to x' wrt. Since « identifies only visible events, x' and x" 
will coincide in their confidential and non- visible events. They only differ in the plain 
text of encrypted messages, a difference that an observer cannot notice by assumption. 
In general we also have to adjust the predicates P and Q to the changed semantics of 
visibility resulting in some predicates P and Q. For example, when translating BSIA P 
in Def. 3 we have to adjust the notion of admissibility A dm such that we do not require 
the existence of a system trace a. (c) but only the existence of a system trace that is 
equivalent to a. (c). In general, we obtain the following pattern for a BSP modulo «: 
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0^;( Tr ) -<=>• Vy € Y . comply) € Tr A P(y) (7) 

=>■ 3z G Z. 3x" g Tr. comp x i(y,z) « x" A Q(y,z) ■ 

As a first example consider the closure property BSD, cf. (1) on page 211. Since BSD 
does not involve additional pre- or postconditions, we can apply the pattern straightfor- 
wardly which results in the following modified basic security property: 

Definition 1. 

BSD v {Tr) «=> [Va, (3 G E*,c G C. (p. (c) .a G 7rAa| c = () 

=> 3a' G E*,t? g Tr. (p.a' « x' Aa'| y = a| y Aa'| c = ()))] (8) 

Let us apply the definition of BSDqy to our examples. Consider all traces p. (c) .a in 
which confidential events occur. This implies c = SetPIN(i) for some i G N and p = (), 
since a confidential event occurs only as the first event of a trace. Then, BSD^> demands 
in our example that there is a system trace equivalent to a in which the PIN is not 
changed. In Example 1, Charly will observe an encrypted message from Alice to her 
bank and a response of the bank to Alice, regardless of whether Alice had changed her 
PIN or not. Formally, a is a prefix of (Send(enc(i)),Repl(enc(acc))). Let a' = a and 
T 1 the corresponding prefix of (Send(enc(— l)),Repl(enc(rej))) then p.a' = x' and 
BSD holds. 

In Example 2, the bank only replies if Alice uses her old PIN. Observing the trace 
in which Alice changes her PIN, Charly is not able to distinguish this trace from 
the prefix of a trace in which Alice uses her old PIN. Formally, in this case a is 
a prefix of (Send(enc(/))). Again let a! = a and l' be the corresponding prefix of 
(Send(enc(— 1))) then p.a' = X 7 and BSD holds. In Example 3, the bank acknowledges 
the changed PIN. Charly can observe this encrypted response and deduce that Alice 
has changed her PIN. Therefore, BSD is not satisfied: if we choose a = (Send(enc(f)), 
Repl(enc(acc))) we cannot find an appropriate a! which satisfies the requirement of 
BSD. The only non-empty trace would be (Send(enc(— 1))) which can be easily dis- 
tinguished from a by the observer. Hence, BSD reveals that in Example 3 information 
about the occurrence of a high-level event is leaked. As expected it does not reveal the 
information leak about the non-occurrence of a confidential event in Example 2. For this 
purpose, the framework Maks provides BSPs for inserting events, e.g. BSIA^, which 
is used to detect information leakages about the non-occurrence of confidential events. 
Thus, let us consider BSIA ^ which involves a non-trivial PiTr. p,c) = Adm p ^(Tr, P,c). 

Definition 2. Let p be a function mapping views on E = VUCL)N to subsets ofE and 
ss be an equivalence relation on V. p is compatible with ss iff for all views V : e\ ss e 2 
implies e\ G p('L') <==> e 2 G p(T’). If p is compatible with ss then we write p^for the 
uniquely defined function that maps views on E~ = V~ UCL UAL to subsets of E~ by 
p s»(TL) = (p(-H)L. Let p be compatible with ss then A dm, pi is defined by: 

VP G E*,c G C. Admv(Tr,$,c) 5=> 3y G £*. y. (c) G Tr and Ylppp) ~ Plppp) 
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Definition 3. 

BSIA P q/(Tr) [Va, (3 £ E*,c £ C. ((3.a G 7? A a| c = () /\Admp{Tr, (3,c) 

=> 3a' g E*,x' g Tr. ((3. (c) .a' « x' Aa'| v = a| v Aa'| c = ()))] 

Let us discuss this definition within our examples. Roughly speaking, BSIA requires 
that we can insert “admissible” confidential events into system traces and obtain again 
system traces. In our example, we only have SetPIN(i) as confidential events, and 
these are only admissible at the beginning of a trace. Thus, Adnip(Tr, (3,c) is true iff 
(3 = () and c = SetPIN(i). Hence, for all a G Tr we have to find a trace l' G Tr which 
produces the same visible behavior as (SetPIN(/)) .a (since A = 0, a and a ' must be 
equal). In Example 1, a is a prefix of (Send(enc(— l)).Repl(enc(rej))), and with 
x' being the corresponding prefix of (Send(enc(/)),Repl(enc(acc))), BSIA P p is sat- 
isfied. In Example 3, a is a prefix of (Send(enc(— 1))), and with l' being a prefix of 
(Send(enc(i))}, BSIA^> is satisfied. However in Example 2, BSIA^i does not hold: let 
a = (Send(enc(— l)),Repl(enc(rej))) then there is no corresponding trace l' produc- 
ing the same observable behavior, because only prefixes of (SetPIN(i), Send(enc(/))) 
are possible traces. Thus, BSIA P ^> reveals the information leakage in Example 2. Select- 
ing the conjunction of BSD and BSIA y as the security predicate of our example reveals 
that both Examples 2 and 3 are insecure while Example 1 is secure. 

3.4 Reduction of 0 Modulo « 

In order to prove the security (in the meaning of information flow) of a given system 
we specify the security predicate as a conjunction of basic security predicates and prove 
each BSP, e.g., by using appropriate unwinding techniques. We can cope with encrypted 
messages by defining an appropriate equivalence relation on visible events and using the 
individual corresponding 0~ instead of 0. 

Although each property 0~ is itself a closure property of traces and, therefore, a 
BSP, it is not a member of those BSPs presented in [5], Thus, a priori no unwinding 
result exists for 0~. Rather than developing our own unwinding theorems for prov- 
ing 0~, we will reduce the problem of proving 0~ in a given system to the problem 
of proving the related 0 in a transformed system. We obtain the transformed system 
by operating on classes of events instead of operating on individual events. Hence we 
define: 

Definition 4. Let ES = (E.I . O. Tr) be an event system with E = V U C U /V and ~ be 
an equivalence relation on V . Then, ES&, the event system ES modulo ss is defined by 
ES « = {E K ,I~.0~,Tr K } ( with Tr~ = {x^T G Tr}). 

Obviously, ES~ is itself an event system. Note that the set of input and output events 
of ES-- might not be disjoint, even if I and O are disjoint. However, input and output 
events are not required to be disjoint for event systems anyway. 

Since ES X is an event system over the set of events E~, we can require it to satisfy 
a given BSP relative to a view for E~. We will now investigate the relationship between 
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ES satisfying 0^; and ES^ satisfying 0^ . In particular we are interested in BSPs for 
which the two are equivalent. 

Definition 5. Let 0 and & be two closure properties of traces, ES an event system, ‘V 
a view, and ss an equivalence relation over V. We say that O' is ^-reducible to 0 iff 
®\,(Tr) ^ &v a (Tr,*). 

In the rest of this section we will show that BSD is ^-reducible to BSD, and similarly 
for BSIA and BSIA with some restriction on admissible relations 

Lemma 1. Let D CE be a set of events. Then 2 

Vco ,p G El. co|^ = p\ D ~ ==>• Va G co. 3a' G p. a\ D = a!\ D . (10) 

Proof. By induction on the length of co| D ^. Base case: let co | D = () = p\d_ . Thus 
co ,p G ( E~ \D~)* and a G ( E\D )*. Let a' G p, then a' G ( E\~D )* and a'\ D = () = 
a| D . Induction step: let col^ y (). Thus, there are C0i,C02 G El and u G D~ such that 
CO = COi . (m) .CO 2 and C0i = (). Analogously, we decompose p by p = p\ . ( u ) ph with 
p\ = (). Hence, a = ai. (e) . 0,2 with ai G COi, e G u and a 2 G CO 2 . Let a" G p. Thus 
a" = a", (e 1 ) .a" with a'(\ D = (), e' G u and a" G p 2 - Since C02| D _ = pi\ D „ and a 2 G 
CO 2 the induction hypothesis implies that there is an of G P 2 with 0 C 2 1 D — of \ t) . Let 
a' = a", (e) ,a 2 then (a", (e) .a!f)~ = // 1 . (u) ,p 2 = p and a", (e) .o! 2 \ D = () . (e) . a 2 \ D = 

^\ D -{ e )M D = ^\ D - D 

Theorem 1. Let « be an equivalence relation on V then BSD is ss - reducible to BSD. 

Proof. Suppose, ES : - satisfies BSD,^ which means that for all co ,p £ El and 

z G CL, (p. ( z ) .co G Tr~ A co| c _ = ()) implies that there is a a/ G El such that p. a/ G 
Tr~ A co'ly^ = co| y _ A co'| c _ = () holds. Let (3. (c) .a G Tr for some a, (3 G E* and c G C 
such that a| c = (). Thus p~. (cb) -OC^ G Tr~ and (Xrj| c _ = (). Since £7>~ satisfies BSDp 
there is some co' G El with p-.co' G Tr~, co' | = oc^l^, and co'| c ~ = (). Since co'| y _ = 
and aG(fc Lemma 1 implies the existence of a" G co' such that a| v = o!'\ v . 
Since |3 ; - .co' G Tr~ there are also a', (3' G E* such that (3'. a' G Tr, (3' G [3 - , and a! G co'. 
Thus, first (3. a" G p^.a/ = p'^.a'sj = (p'.a'),^ Second, a"\ v = a| y and finally, a"\ c = 

«»l c» = 0- 

Suppose, ES satisfies BSDp which means for all a. |3 G E* and c G C, (p. (c) . 
a G TrAa\ c = ()) implies that there are a' G E* and x' G Tr such that p.a' « x', a!\ v = 
a| v and a'| c = (). Let co ,p G El and z G such that p. ( z ) .co G Tr~ and co| Cr _ = (). 
Thus, there are a,p G £* and c G C such that p. (c) .a G p. ( z ) .co, p. (c) .a G Tr and 
a| c = (). Since ES satisfies BSD^i, there is a a' G E* and a x' G Tr such that p.a' « x', 
a!\ v = a| v , and a'| c = (). Therefore, p-.a'^ = (p.a'^ = x'^ G Tr~, a'^l^ = 
and a'sa | c _ = (). □ 

Lemma 2. Let p be a function mapping views in E to subsets of E that is compatible 
with an equivalence relation « on V. Then, for all Tr C E* , for all P G Tr and c G C: 

Adrn<p(Tr,$,c) <£=>■ Adm^ (Tr~,fi~,c&). 



2 Remember that by definition D~ = {e~\e G D} = {/r G E~\pHD f 0}. 
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Proof. Suppose Adm<p(Tr, (3, c) holds for some Tr C E* , [3 G Tr, and c GC which means 
there is a yG E* such that y. (c) G Tr andy| p ^j « (3 IpfT^) • Then obviously, y~. (c^) G Tr~ 
andy~| p ^^ = P^lp^-p^) such that Admff (7>~,P~,Cr;) holds. 

Suppose Adm\ ^ ( Tr~ , p~ , ) holds which means there is a p G El such that p. (c& ) G 
Tr~ andjulp^y^ = Plp~(<p~)- Since p. ( c «) G Tr~ there is some p' € E* with p'. (c) G Tr 
and p' Gp. Thus, P'lp^ = P\p^) = P^lp^oi,) which implies P'| p(V) « p| p ^. □ 

Theorem 2. Let ss be an equivalence relation on V and p be compatible with «, then 
BSIA P is «- reducible to BSIA Pbi . 

Proof. “<t=”: Suppose, ES~ satisfies BSIA p f? . Thus for all ( 0 ,p G EZ and z G C ~ , (p. CO G 
Tr~ A to | q = () A AdtrPy (Tr~,p,z)) implies that there is a co / G EZ such that p. (z) ■C0 / G 

Tr~ Aco'ly^ = Co| y _ Aco'| c _ = () holds. Let p.ae Tr, a| c = () and Adm P p(Tr. p,c). Thus, 
Pra-OtfB G Tr~, = () and Adm p fy (Tr~, P~,c~) hold. Since £2>~ satisfies BSIA P ^ 

there is a co' € EZ such that p~. ( c ~) .Co' S Tr~, co' | = oc^l^ and co'l^ = (). Hence, 
we can find p',y G E* with p'. (c) .y G Tr such that p' G p?s and ye co'. This implies that 
Y~ly~ = a^l^ which guarantees the existence of some /gy- withy'll = a| y . Finally, 
p. (c).f « p'. (c) .ye Tr and f | y = a\ v and f\ c = i J\ Ca = Y»| C(o = co'| Css = <). 

Suppose, ES satisfies BSI^wp. Thus for all a, p G E* and c G C, (p.a G Tr A 
a| c = () A Adnip(Tr, p,c)) implies that there is some a! G E* and f G Tr such that 
p. (c) .a! ~ x' with a!\ v = a| y anda'| c = (). Let/r.co e Tr~, co| c ~ = () and Adm p ff ( Tr ~ , 
p,z) for some z G C~. Then there are a. P e E* such that p.a e Tr, (p.a) G p . co and 
a| c = (). Let c G z- Then Lemma 3 implies Adm!p(Tr,$,c). Since ES satisfies BSIA P p 
there exist a' G E*.f G Tr such that p. (c) .a' « a'ly = a| v and a'| c = (). Thus 
(p.(c).a'L = P«.(z) .a'a =p. (z) .a'ss, a'sa | =a C3 | Vss , anda'^ = (). □ 

Corollary 1. Let ss be an equivalence relation on V, then BSI is reducible to BSI. 

Proof. Easy consequence of Theorem 2 with p ( V) = E. □ 

We believe that for each BSP 0 of Maks a corresponding 0 can be defined such that 
0 is ^-reducible to 0 for most equivalence relations «, but we have not checked the 
details yet. 

4 Unwinding 

In the previous section we have given a definition of security predicates modulo an 
equivalence relation « on visible events. We have also shown that security predicates 
modulo ss can equivalently be expressed as security predicates applied to an event sys- 
tem transformed by «. This means that all results for given security predicates can be 
used to reason about security predicates modulo «. This applies, e.g., to composition- 
ality results or unwinding results. In this section we will investigate the details of how 
unwinding results for a BSP 0 are used for 0. 
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induces 



ES satisfies Q^> 



? 1 sa 

t 

SES ► ES~ satisfies 0„; 

induces " 



Fig. 2. Unwinding 0 modulo 



Suppose, SES = (E,I, 0,S,sq, T) is a state-event system that induces an event sys- 
tem ES = (. E,I,0,Tr ). To prove that ES satisfies a BSP 0 wrt. a view ‘V we have to 
show that, for some chosen unwinding relation x on the set of states S, the unwind- 
ing conditions corresponding to 0 and T' hold. Now we are interested in whether ES 
satisfies 0, which - for ^-reducible BSPs - can be reduced to the problem of proving 
that ES,- satisfies 0 wrt. “V~. We can show this property by unwinding if we find a 
state event system SES that induces ES,- and for which we can show the unwinding 
conditions corresponding to ES~, V-- , and 0, cf. Fig. 2 for a visualisation of this. 

4.1 Unwinding for SES 

We are left with the construction of an appropriate state-event system SES that induces 
ES&. Since the states in the original state-event system SES usually express the intuition 
about the system under consideration we construct the state-event system SES by using 
simply the set of states introduced for SES. 

Definition 6. LetSES= (E.l . O.S. so, 7) be a state-event system such that T definedby 
Vs i ,S 2 € S, u € E~ . T{s\ 1 m, S 2 ) 3 e & u. T (si , e, S 2 ) is a partial function on S x E~. 

Then, the state-event system SES modulo sa, is defined as SES = (E~,I~,0^,S,so,T). 

Theorem 3. For each CO £ El, CO is enabled in SES iff CO £ Tr~, i.e. SES induces ES~. 

To prove this we need the following lemma. 

Lemma 3. For all s £ S and CO £ El,, s 0 — 'f s iff there is a T £ E* with x~ = CO such 
that so — >t s. 

Proof By induction on the length of CG. Base case', trivial since CO = () and x = (). 
Induction step: assume that CO = p. (u). The induction hypothesis yields that for all 
states s' £ S, so s' iff there is an a € E* with = p such that jo -^-> 7 - s'. By 

Def. 6 , T{s' ,u,s) iff there is an event e £ u such that T{s' ,e,s). Thus, so s iff there 

■ 1 1 a -i e ) 

are a, e such that e £ u, a ^ = p, and jo — >r j. □ 

Proof (of Theorem J). CO is enabled in SES , thus there is some s £ S such that 

so —*f s, which implies that there is some x £ CO with so — >t s (by Lemma 3), and 
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SES satisfies UCy 



_ ^ II 

SES satisfies UC ^ ■= > ES~ satisfies 0^ 

Fig. 3. Direct unwinding. Arrows represent logical implication. 



(*) 



ES satisfies 0^; 



because SES induces ES this implies t € Tr, and finally 0) = x~ £ Tr~ by definition of 
Tr~. 

“<t=”: CO £ Tr~ implies there is some x £ CO with x £ Tr, thus so — > t s, which implies 
so s, and because of x~ = CO, this implies that CO is enabled in SES. □ 

Now, existing unwinding theorems for 0 are directly applicable and we obtain the fol- 
lowing theorem. 

Theorem 4. Let SES be a state-event system SES mod ulo ~ and 0 be a ss- reducible 
BSP with associated unwinding conditions UC®. If SES satisfies UC® wrt. then ES 
satisfies 0 wrt. V . 

The theorem allows us to lift all unwinding results for BSPs in Maks to unwinding 
results for BSPs modulo « provided the transition relation T of SES is functional. Sup- 
pose T is (in contrast to T) not a partial function. Thus, there is a state 5 that has several 
successor states wrt. a (visible) event . This represents a spontaneous choice that is, 
on one hand, independent of the confidential behavior of the system but, on the other 
hand, hidden from the observer by the encryption. If the choice is not confidential, 
then there is no need to encrypt the event. But if the choice is confidential there should 
be a confidential event representing the choice and resolving the indeterminism. Thus 
we claim that the restriction of T being a partial function is not a serious restriction 
in practice. Nethertheless, if there should be realistic examples which require a non- 
functional T, there is still the possibility to lift the approach to state-event systems with 
non-functional transition relations. 

4.2 Direct Unwinding of 0 Modulo « 

Given a state-event system SES, a view r U, an equivalence relation ss on V, and a «- 
reducible BSP 0, Theorem 4 allows us to show that SES satisfies the security property 
0 modulo ss wrt. ‘V by unwinding. However, the unwinding conditions are proper- 
ties of the state-event system SES involving universal quantifications over equivalence 
classes of events. For practical reasons, we would like to use unwinding conditions UC 
formulated on the original state event system SES as it is indicated by the arrow (*) in 
Fig. 3. In this case, we do not need to explicitly specify or construct ES-- or SES. Also, 
we do not even need to be able to express the construction of ES~ or SES from SES 
in the specification language or mechanism we use. Furthermore, we can reason within 
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the system that we have specified and, presumably, have some intuition about. Similarly 
to the argument in Sect. 3.4 we show for BSD and BSIA how direct unwinding relations 
are derived for specific BSPs. An analogous construction can be done for other BSPs. 

We can show that a given system SES satisfies BSD^> modulo ss using Theorem 4, 
which is applicable if « is an equivalence relation over V and SES is well-defined 
(i.e. T is such that T is functional according to Def. 6). The unwinding conditions that 
we have to show for BSD are Irf ^(SES, x i) and osc^_ (SES. x i) for some arbitrary 
relation xj C S x S (cf. Sect. 2). Similarly, for BSIA[ we need to show that « is an 
equivalence relation, that T is functional, that p is compatible with ss (cf. Theorem 2), 
and that the unwinding conditions lrbe\ ^ (SES, X 2 ) and osc^(SES, X 2 ) hold for some 
arbitrary relation x 2 C S x S. 

We can expand the definition of SES- in these conditions, and rewrite them so 
that they are formulated entirely in terms of SES and the equivalence relation ss. As 
sufficient conditions for BSD, p we then get: 

1 . ss is an equivalence relation over V . 

2. T is a partial function: 

Vs,si,s 2 e S,e\,e 2 G E. e\ « e 2 AT(s,e\,s\) A T(s,e 2 ,S 2 ) ==> si = S 2 • 

3. The unwinding conditions osc (11) and Irf (12) hold: 

Vsi,s\,s' 2 GS,eGE\C. (11) 

reachable(SES, si ) A reachable(SES, s\ ) A s\ — s' 2 A s\ x 1 si 

=>■ 3«2 G S,8 G (E\C)*. 8|y « (e) |y Asi S 2 As' 2 ixiS 2 and 
Vs, s' G S,c G C. reachable(SES,s) A s — c -^t s' => s' Xi s . (12) 

Similarly, for BSIA we get Conditions 1. and 2. as above, and additionally we get: 

3’. The unwinding conditions osc (11) with x 1 replaced by X 2 , and Irbe (13) hold: 

Vs G S,c G C. reachable(SES,s) /\En P ^(SES,s,c) => (13) 

3s / G S. s — s' A s x s' 

with 

En P ^;(SES,s,c) 

p y c 

3(3, y G E* ,si,S2 G S. so — sA y| p (<p) ~ Plp(<p) ^^0 — >t si Asi — >t S 2 

All these conditions do no longer refer to the equivalence classes and can directly be 
formulated in the language and formalism in which the original state-event system was 
formulated. 

4.3 An Example 

We return to Example 1 presented in Sect 3.1, for which a specification in form of a 
state-event system can be given as follows. Let 5= (NU {— 1}) x (N U {— 1. _L}) x 
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{0, 1, _L}, and write {pin = i;sent = j; answered = k} for ( i,j,k ) G S. The start state 
is so = (— 1 , -L, A) = {pin = — 1; sent = _L; answered = _L}. The transition relation T 
is given by the following pre-/postcondition (PP) statements [6], where, e.g., the first 
one means that T(s,SetPIN(i),y) iff s = (— 1 ,j,k) and s' = ( i,j,k ) (for i G N and any 
j,k). 

- SetPIN(/ : N): modifies pin; pre: pin= —1; post: pin' = i. 

- Send(enc(i : NU {— 1})): modifies sent; 

pre: sent = _L A pin = i; post: sent' = i. 

- Repl(enc(acc)): modifies answered; 

pre: sent G N; post: answered = 1. 

- Repl(enc(rej)): modifies answered; 

pre: sent = — 1 ; post: answered = 0. 

It is easy to check that T is a partial function and that this SES induces the ES given in 
Example 1. Define « to be the smallest relation such that Send(enc(x)) ss Send(enc(y)) 
for all x,y and Repl(enc(acc)) « Repl(enc(rej)). 

We now show conditions 1.-3. and 3’ given in the preceding section. ss is trivially 
an equivalence relation, so Condition 1 . holds. T is a partial function provided that 
the successor states s' are uniquely determined by the relations T(s, Send(. . ,) RJ ,s / ) and 
7’(5,Repl(enc(acc)) C3 ,y). Since two events Send(enc(i)) and Send(enc(y)) with i f 
j are never both enabled in the same state (which also holds for Repl(enc(acc)) and 
Repl(enc(rej))), also T is a partial function, and Condition 2 holds. 

Finding a viable unwinding relation is relatively easy in this case: for proving BSD, 
since so is reachable and SetPIN(i) enabled, Irf requires that for i G N 

{pin = i,sent = _L,answered= _L} Xj {pin= — l,sent = _L,answered= _L} 

and similar consideration with osc yield that we also have (i,i, _L) Ki ( — 1 , — 1 , _L) and 
(i,i, 1) k i (—1, —1,0). In the specific case, we can make k symmetric and include un- 
reachable state-pairs in the relation - this will later allow us to reuse the relation for 
proving BSIA. We will therefore use the following symmetric definition of m for k i 
and k 2 (and write k instead of k,). 



(,/i = h = -L) or (ki = k 2 = _L A j\ ± _L A j 2 ± 4 ) or (£i ^ J_ A k 2 ± _L) . 
The unwinding conditions can now be shown to hold for the x that we have defined. 

- hf: Let c be a confidential event, and let s be a reachable state, in which c is enabled. 
This fixes c to be of the form SetPIN(i) and s = so- In the result state s' , we have 
sent and answered unchanged equal to _L, so s' x so, and Irf holds. 

- lrbe p : Similarly, the only state in which a confidential event is enabled is .vo , and 
the successor state s' again has sent and answered unchanged equal to _L, i.e. we 
have yo x s' and lrbe p holds. 

- osc: We have to look at all states and all non-confidential events that are enabled. 
Case distinction over non-confidential events: 
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- e = Send(enc(t)) is enabled in s'j only if sent = _L, and in the successor state 
s 2 we will have sent ^ _L but answered = _L unchanged. For any other state 

n s\ we also have sent = _L, and in the successor state S 2 we thus have 
sent _L but answered = _L unchanged, and this yields s' 2 m S 2 - 

- e = Repl(enc(acc)) is enabled if sent = i (for i £ N) and answered = _L (by 
reachability). Any reachable state in relation m will also have answered = _L 
but might have sent = — 1, in which case Repl(enc(rej)) « e is enabled. In 
any case, the successor states will both have answered _L and will therefore 
be in relation m . 

- e = Repl(enc(rej)) is similar, except that Repl(enc(acc)) and Repl(enc 
(rej)) are exchanged. 

Note that for Example 2 (without the Repl(enc(acc))-event) or Example 3 (without 
Repl(enc(rej))), we fail to prove osc. This is consistent with the earlier observation 
that Example 1 is secure while Examples 2 and 3 are not. 

5 Conclusion 

We presented an approach to investigate possibilistic information flow security for sys- 
tems that include the exchange of encrypted messages. The work was motivated by open 
problems arising in an investigation [14] of information flow security for a scenario of 
comparison shopping agents. The idea of the approach is to identify events correspond- 
ing to messages that an observer cannot distinguish because of the encryption. It has 
been integrated into an existing framework for possibilistic information flow control 
which now allows its application to a wider range of scenarios. 

Compared to modeling encrypted channels using intransitive information flow poli- 
cies, we can investigate whether the encryption actually prevents confidential informa- 
tion from leaking, or whether the occurrence of encrypted messages provides a covert 
channel. In the future we intend to apply our approach to further examples. Also we are 
interested in a combination of our approach with security protocol analysis, in partic- 
ular in how our assumptions about confidential keys relates to the results of the other 
technique. 
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Information Flow Control Revisited: 
Noninfluence = Noninterference + Nonleakage 
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Abstract. We revisit the classical notion of noninterference for state- 
based systems, as presented by Rushby in 1992. We strengthen his re- 
sults in several ways, in particular clarifying the impact of transitive vs. 
intransitive policies on unwinding. Inspired partially by Mantel’s obser- 
vations on unwinding for event systems, we remove the restriction on the 
unwinding relation to be an equivalence and obtain new insights in the 
connection between unwinding relations and observational preorders. 
Moreover, we make two major extensions. Firstly, we introduce the new 
notion of nonleakage, which complements noninterference by focusing 
not on the observability of actions but the information flow during sys- 
tem runs, and then combine it with noninterference, calling the result 
noninfluence. Secondly, we generalize all the results to (possibilistic) non- 
determinism, introducing the notions of uniform step consistency and 
uniform local respect. Finally, we share our experience using nonleakage 
to analyze the confidentiality properties of the Infineon SLE66 chip. 
Like Rushby’s, our theory has been developed and checked using a the- 
orem prover, so there is maximal confidence in its rigor and correctness. 



1 Introduction 

Noninterference, a very strong, abstract and mathematically elegant way of ex- 
pressing secrecy, has been introduced more than two decades ago by Goguen and 
Meseguer [GM82,GM84]. Since then, a large body of work ([Sut86,Fol87,McC90], 
[Rya90,McL94,ZL97,Man00], etc.) has grown generalizing noninterference to non- 
deterministic systems, leading to a variety of definitions that partially coincide 
or exhibit subtle differences. A systematic overview is given by Mantel [Man03]. 

A further dimension of generalization is towards information flow policies 
that are not transitive, used for describing downgrading, information filters and 
channel control. The notion of intransitive noninterference [HY86,Rus92,Pin95] 
has caused some difficulties and debate. Also Roscoe and Goldsmith [RG99] 
motivate and explain intransitive noninterference, but on the other hand add new 
confusion: they criticize the classical definition via the ipurge function, giving 
examples of wrongly implemented downgraders and attributing the problem to 
limitations of the expressiveness of purging, yet the actual problem is at least 
in part due to the semantical discrepancies (i.e. , the implementation errors) 
that they assume and not due to intransitivity. Nevertheless, we believe that 
intransitive noninterference is a notion both valid and practically useful, thus 
we make sure not to limit ourselves to the transitive case. 
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Many approaches focus on event systems and therefore typically use variants 
of process algebras like CSP as the underlying system model. Yet most systems 
that appear in practice are heavily state-oriented. Consequently, when it comes 
to their security, the flow of information contained in the system state often is 
the only thing that really matters or is at least as important as the visibility of 
actions or I/O events. Though state-oriented systems can be described in event- 
oriented formalisms, we feel that this is not very natural. Our aim is to have a 
theory of secure information flow as simple and abstract as possible that models 
state-oriented systems directly, hence we use plain state automata as the underly- 
ing system model. Furthermore, we require verification techniques like unwinding 
theorems implemented in a theorem proving system usable for practical security 
analysis. Moreover, we want to cover both deterministic and (non-total) non- 
deterministic systems and both transitive and intransitive policies. We are not 
aware of a theory that meets all these requirements - for instance, both McCul- 
lough’s restrictiveness [McC90] and the contemporary language-based security 
[SM03] handle deterministic and nondeterministic state-based systems but not 
intransitive policies. So we decided to develop our own theory. 

Rushby’s work [Rus92], using simple automata and handling intransitive non- 
interference yet not nondeterminism, appeared as a good starting point. We 
have implemented a slight variant of his theory, using the state-of-the-art the- 
orem prover Isabelle/HOL [NPW02], removing some unnecessary limitations, 
extending it as straightforwardly as possible to nondeterministic systems, and 
introducing a hierarchy of variants of noninterference that concentrate to vari- 
ous extents on information flow between domains. The complete theory sources 
including proofs are available online [Ohe04] . There is some closely related work 
by Mantel [Man01,Man03] that also handles nondeterminism and unwinding for 
intransitive noninterference. It deals with a large number of variants of nonin- 
terference in a systematic way, but is event-oriented and not implemented in a 
theorem prover. We give more comments on the similarities and differences to 
his approach in the course of presenting our development. 

2 System Model 

We use two simple automaton models for describing systems as deterministic 
or nondeterministic state machines. Each action a of type action transforms 
the state via a total transition function step(a ), following Rushby [Rus92], or a 
(possibly partial and nonfunctional) transition relation Step(a ), respectively 1 . 
step : action x state — > state 
Step : action — > p{state x state) 

Runs of a system are described by lifting steps over action sequences. 
run : action* x state — > state 
Run : action* — > p{state x state ) 

1 Whenever there is a direct correspondence between the deterministic and the non- 
deterministic case, we use the same names except that the versions for the latter 
case are capitalized in part. 
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They are defined by straightforward primitive recursion: 
def run(\\, s) = s 

def run(a a, s) = run{a, step(a , s)) 
def Run([]) = {(s, s)| True} 

def Run(a ^ a) = {(s, t)| 3s'. (s, s') £ Step(a) A ( s',t ) £ Run(a)} 

In the above definitions, ‘Q’ stands for the empty sequence and ‘a a’ 
denotes the action sequence a with the action a prepended to it. 

The initial system state, used for defining classical noninterference even in 
the nondeterministic case, is denoted by So- 

Each action is associated with a security domain used to describe both re- 
strictions on its own visibility and the portion of the state it may read from. 

dom : action — » domain 

There is an output function defined on state yielding some value(s) of type 
output. Output is not associated with an action but with the state alone, i.e., we 
model systems as Moore automata. In order to express the observations possible 
for each security domain, the output function receives an extra parameter of type 
domain. In this respect, we deviate slightly from Rushby’s system model which 
uses Mealy automata where output depends on the security domain indirectly 
via the domain associated with actions. 

output : domain x state — » output 

We use domain instead of action as the extra parameter of output because 
this slightly simplifies some formulations and allows both a more direct inter- 
pretation of access control and an easier comparison with nonleakage. 

3 Generic Notions 

3.1 Policies 

Central to noninterference and its derivatives is the notion of a policy, 

■ • : p( domain x domain ) 

also called interference relation. It expresses that information is allowed to flow 
from the first domain to the second. The complementing relation, -/>, is called 
noninterference relation. Classical multi-level security polices induce a transitive 
interference relation, but others are intransitive: they allow indirect information 
flow via privileged channels like a censoring downgrader or an encryption engine 
while a direct (short-circuit) flow is prohibited. 

As usual, we globally assume reflexivity of policies: Vit. u ^ u. Other as- 
sumptions are of local nature. For instance, for part of our results, transitivity 
of policies is required (but only where explicitly stated). 

3.2 Allowed Source Domains 

In order to express the allowed information flow between domains for (in general) 
intransitive policies, we employ the auxiliary function sources [Rus92], It takes 
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a sequence of actions a and a target domain u and yields the set of domains that 
are allowed to pass information to u immediately or indirectly via (a subsequence 
of) a. The following definition is equivalent to the classical one: 
sources : action* x domain — > p(domain) 
def sources({\, u) = {it} 
def sources(a a,u) = sources(a , u) U 

{w| 3v. dom(a) =w A w ^ v A v £ sources(a,u)} 
For example, a sufficient condition for v £ sources(a\ ' 02 03 ^ 04 ^ [] , u) 

is v = dom(a 2 ) A dom(a 2 ) dom(a,i) A dom{a/Cj ^ u (even if v ■/> u). 

For defining weak nonleakage in §5.3, we will use a second variant called 
chain. It can be derived from the above definition by leaving out the restriction 
dom(a) = w on the chain elements. This variant yields all domains connected 
with the given domain via the relation {(u, w)| True}U U (^-) 2 U . . . U ('^) n 
where n is the length of the action sequence given as the first argument. 

Obviously, sources yields a subset of the result of chain , i.e. sources(a , u) C 
chain(a,u). Moreover, in the case of transitive policies, chain yields a subset of 
in the sense that chain(a,u) C {ie| w ^ u}. 



3.3 Unwinding Relations 

Central for both the well-known unwinding results and our extensions is the 
unwinding relation on states, parameterized by the observing domain u: 

• ~ • : domain — > p(state x state) 

Classically, this relation is a view-partitioning equivalence [Rus92,ZM01] ex- 
pressing indistinguishability of states from ids perspective. In most applications, 
it is simply a pointwise equation on the contents of those variables that u may 
observe. Zdancewic and Myers [ZM01] call this a view of a system S and use it 
for defining an observational equivalence, S 1 ^], on stuttering-equivalent traces. 
In order to maintain confidentiality of information contained in the system state, 
the unwinding relation is to be preserved locally by every computation step. 

Regarding the unwinding relation to be an equivalence is intuitive and valid 
for most cases, yet Mantel pointed out that unwinding does not really require 
symmetry [ManOO] , neither rcflexivity nor transitivity [Man03] , and that in some 
applications the relation is e.g. intransitive 2 . Inspired partially by his results, we 
allow for arbitrary unwinding relations as long as they imply the observational 
equivalence (or preorder, respectively) induced by the output function. Only for 
the unwinding theorems of noninterference, it has to be assumed that for all 
observers the initial state is in unwinding relation with itself: \/u. sq ~ So 

The unwinding relation is lifted in the canonical way to sets of domains, 
inheriting any reflexivity, symmetry, and transitivity properties. 

• « • : p(domain) — > p{state x state) 
def s « t = \/u £ U. s ~ t 

This is not to be confused with intransitivity of the information flow policy. 
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4 Noninterference 

In this section, we slightly improve the theory of noninterference as presented by 
Rushby in [Rus 92 ]. Moreover, we extend the results to nondeterministic systems. 
Also in the two subsequent sections introducing nonleakage and noninfluence, 
we will handle both the deterministic and the nondeterministic case, displaying 
the inherent parallelism between the two cases as far as appropriate. 

4.1 Purging 

We define the classical purge function filtering out confidential events with re- 
spect to (generally) intransitive policies, as introduced in [Rus 92 ]: 

ipurge : domain x action* — > action* 
def ipurge(u , []) = [] 

def ipurge(u, a ^ a) = if dom(a) € sources(a ^ a, u) 

then a ^ ipurge(u, a) else ipurge(u, a) 

For example, ipurge(ai ^ 02 <23 <24 ^ [] , u) = 02 04 ^ [] if aq and <23 may 

not directly nor indirectly (i.e., via any of their successors in the given chain of 
actions) influence u, but if <24 does so directly (i.e., dom(a ± ) u holds) and <22 

indirectly, via dom{a2) ^ domfaft). Generally, ipurge enjoys properties like 

lemma sourcesJpurge : sources(ipurge(u,a),u) = sources(a,u) 
lemma ipurgeAdempotent : ipurge(u, ipurgefu, a)) = ipurge(u, a) 

If we replace the condition domfa) € sources(a a,u) by dom(a) u, 
we obtain the simpler variant typically used for transitive policies, which we 
call tpurge. It can be shown that there is a very intuitive characterization of 
tpurge , namely: tpurge(u,a) removes from a all actions a with dom(a) 'ft* u. 
Moreover, as already stated by Rushby, tpurge coincides with ipurge in the case 
of transitive policies. Therefore, in the following we will use only ipurge because 
it covers both the transitive and the general (possibly intransitive) case. 

4.2 The Deterministic Case 

General version. The essence of noninterference is that an observer cannot 
tell the difference between any system run and the variant of it obtained by 
removing ( “purging” ) all events that he is not allowed to notice directly or indi- 
rectly. In order to formulate this notion and its derivatives in a concise way, we 
first define an observational equivalence relation on the state with an associated 
action sequence. The equivalence is parameterized by the observing domain and 
is induced by the output function applied to the final state after executing the 
respective action sequence. 

• <1 • ^ • < • : domain — > p(state x action* x state x action *) 
def s <1 a t < (3 = output(u , run(a , s)) = output(u, run(/ 3 , t)) 

Using this relation, classical noninterference can be written as 
def noninterference = \/a u. sq <1 a ^ sq <1 ipurge(u, a) 
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Unwinding reduces this global security property to a set of local, step-wise 
properties, in particular the two complementing ones introduced in [Rus92]: 

— step consistency : s ~ t — > step(a, s) ~ step(ci, t), preserves the unwinding 
relation for each action a. Its meaning is that the effects of executing a 
on s and t as far as observable by the domain u, expressed by step(a, s) ~ 
step(a, t), may depend on the previous values in the states s and t observable 
by u, expressed by s ~ t, but on nothing else. This property is used in the 
case that the domain of the action to be performed, dom(a), is allowed to 
interfere with the observing domain u, i.e. dom(a) u. 

— local respect : dom(a) u — > s ~ step(a, s) handles the opposite case. 

We weaken (thus effectively generalize) Rushby’s definition of step consistency: 
def weakly step-consistent = dom ^ 

Ma u s t. dom(a) ^ u A s ~ f A s ~ f — > step(a, s ) ~ step(a , t) 
by adding two premises which make step consistency easier to establish in ap- 
plications. Firstly, dom(a) u states that action a is allowed to interfere with 
the observing domain u. This is just an enhancement of convenience because in 
the other case, dom(a) -/» u, the property can be obtained from local respect. 

. dom(a) . . 

becondly, the premise s ~ t is present not only m the intransitive case, 
as it was before. It allows that the effects of a depend also on the observables of 
dom(a), the “official” input domain that the action a may read from. In Figure 1, 




the large ovals give an extensional view of all variables in the system state. 
The small ovals describe (possibly overlapping) subsets of them - the standard 
interpretation of security domains. The solid arrows depict allowed information 
flow into the domain u induced by a, while the dashed arrow depicts forbidden 
flow. Since the information flow from dom(a) additionally allowed here is both 
very natural and important in applications, the “ordinary” step consistency is 
too strong. Adding the extra premise also for the transitive case is sound, as 
our main unwinding theorem confirms. Ruslrby does not state this sharpened 
result, although he compares the transitive and the intransitive case in detail. 

3 We adopt the convention that ’A’ binds stronger than ’ — >’ 
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Like Mantel [ManOO], we split Rushby’s notion of local respect into a left- 
hand and right-hand variant, which allows us to remove the symmetry constraint 
on the unwinding relation. Moreover, we transform local respect such that it 
preserves rather than introduces the unwinding relation. This not only relieves 
us from requiring transitivity of the unwinding relation, but also yields a stronger 
observational preorder for the nondeterministic case than Mantel’s (see §5.6). 

def localjrespectJeft = Va u s t. dom(a ) -/> u A s ~ t — > step(a, s) ~ t 
def local -respect-right = Mau s t. domfa) -/> u A s ~ t — > s ~ step{a , t) 
def local-respect = local-respect-left A local-respect-right 

One can show easily that under the assumption that the unwinding relation 
is an equivalence, these definitions coincide with the classical one recalled above. 

In the proof of the unwinding theorem for both noninterference and nonleak- 
age, a consequence of local respect is used that is structurally very similar to 
step consistency, but handles the case dom(a) yV u. We call it step respect. 

def step-respect = Va u s t. domfa) -/> u A s ~ t — > step(a, s) ~ step(a, t) 

Obviously, the combination of the left-hand and right-hand variants of local 
respect implies step respect: local-respect — > step-respect 

Assuming Mu. so ~ so and employing output consistency , which is defined as 
def output-consistent = Vust.s~t — » output(u, s) = output(u, t ) 
we can prove the main unwinding theorem for noninterference: 
theorem noninterference : 

weakly step-consistent A local -respect A output-consistent — > noninterference 

This theorem is essentially the same as [Rus92, Theorem 7] except that is not 
(unnecessarily) restricted to intransitive policies. Appendix A gives an abstract 
example of using its extra strength. 

Strong version. Strictly speaking, the classical notion of noninterference only 
states that an observer cannot deduce that the subsequence of all actions that he 
is not allowed to see has occurred. This is because purging removes all unsuitable 
actions from a given sequence, but not part, of them, and neither adds any such 
actions. This shortcoming can be repaired by using the canonical strong version 
of noninterference (cf. e.g. [McC90,Rya90]) that handles arbitrary insertion and 
deletion of secret actions: 

def strong-noninterference = 

Va u (3. ipurge(u, a) = ipurge(u, (3) — » so < a. sq <i (3 

Taking j3 = ipurge(u, a), it is easy to see from the idempotence of purging 
that this version implies the original version of noninterference. On the other 
hand, one can derive the strong version of noninterference from the standard 
right-hand one, exploiting symmetry and transitivity of the observational equiv- 
alence. Thus one can conclude that in the deterministic case, the strong version 
is not strictly stronger than the classical one. 
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The just mentioned proof scheme does not work for the nondeterministic case 
because there the observational preorder (see below) is not symmetric. Therefore, 
we prefer to prove the corresponding “strong” unwinding theorem directly. 

theorem strong -noninterference : weakly step-consistent A 

local-respect A output-consistent — > strong-noninterference 



4.3 The Nondeterministic Case 

After having elaborated classical noninterference and unwinding in the case of 
automata with total deterministic transitions, we now generalize these results to 
partial nondeterministic transitions, trying to parallel the above development as 
far as possible. This kind of transitions is the one that typically occurs in the 
abstract system models that we develop during our security analysis projects. It 
imposes two extra challenges to security: because of partiality, the enabledness 
of action sequences now plays a role in observations, and because of nonfunc- 
tionality, preservation of the unwinding relation becomes more difficult. 

For the reasons just given, we extend the observational equivalence of §4.2 
with the preservation of enabledness, obtaining an observational preorder: 

■ < ■ ^ • <1 • : domain — > p(st,ate x action* x state x action*) 
def s<a^t<\(3 = Vs', (s, s') € Run(a) — ► 

3 1' . (t,t') € Run(/3) A outputiu, s') = output(u,t') 

Using this relation, we define noninterference for nondeterministic systems by 
the canonical generalization of strong noninterference (cf. [McC90, III]): 

def Noninterference = Va u (3. ipurge(u, a) = ipurgefu, f3) — > Sq <s a so < /? 

Simple version. The immediate generalization of step consistency, step respect, 
and local respect for nondeterministic systems is straightforward 4 . Here we define 
only “ordinary” rather than weak step consistency, for reasons given below. 
There is some similarity of these definitions with weak bisimulation, as explained 
e.g. in [RyaOl, §10]. 

def Step-consistent = Va u s s' t. dom(a) ^ u A 

(s, s') € Step(a) A s ~ t — ► (3 1' . (t,t') € Step(a) A s' ~ t') 

def Stepjrespect = Va u s s' t. dom(a) u A 

(s, s') € Step(a) A s ~ t — > (3 1' . (t,t') £ Step(a) A s' ~ t') 

def Local jrespect-left. = 

Va u s s' t. dom(a) u As~t A (s, s') £ Step(a) — > s' ~ t 
def Local jrespect-right = 

Va« s t. dom(a) u A s ~ t — > (3 1'. (t,t') € Step(a) A s ~ t') 

Obviously, Local -respect-left, and Local -respect-right implies Stepjrespect. 

4 Actually, it would be sufficient to state them only for reachable states s and t. We 
refrain from doing so in order to avoid extra clutter in the presentation. 
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Note that for consistency with the preservation of enabledness, the left-hand 
variant assumes the transition between the two states while the right-hand vari- 
ant requires it to be shown. If the unwinding relation is reflexive and transitive, 
our definitions of local respect essentially coincide with those given in [ManOl]: 

Irf : Va u s s' t. dom(a) u — > (s, s') £ Step(a ) — * s' ~ s and 
Irb : Va u s t. dom(a) -/> u — ► 3 tf . (t,if) £ Step(a) A t ~ t' 

Unwinding can be proved essentially as for the deterministic case. 

theorem simple-Noninterference : Step-consistent A Local -respect-left. A 
Localjrespectjright A output-consistent — > Noninterference 



Uniform version. Unfortunately, the classical unwinding results concerning 
weak step consistency cannot be directly transferred to the nondeterministic 
case. This is due to the two premises of weak step consistency, s ~ t and 

s ^ ^ t, which require an inductive argument that in each unwinding step 
the unwinding relation is preserved simultaneously for more than one domain: 

sources(a'-'Qt,u) sources(ot.u) 

(s, s') £ Step(a) As « t — > (3 if. (t,t) £ Step(a) A s' ~ if) 

Without uniformity, (weak) step consistency etc. only guarantee that for each 
v £ sources(a,u) there is a suitable t', but not necessarily a single t' for all v. 

The problem can be circumvented by requiring that the relation Step(a) is 
functional for all actions a, as done in [ManOl]. This means that every transition 
for a with nondeterministic outcome has to be replaced by a set of transitions 
with distinguished actions a', a" , . . . , where the choice between these actions 
is nondeterministic. We would like to avoid requiring such a transformation 
on system descriptions. This is possible, namely by resorting to the stronger 
notions of uniform step consistency , uniform step respect, etc. They generalize 
their counterparts by replacing the unwinding relation for single domains by the 
variant lifted over arbitrary sets of domains. 

. „ ■ ri . \ it t / /—i tt i / \ \ dom(a) 

def uni-btep-consistent = MU asst. (3m £ U. domya) u) A * 

(s, s') £ Step(a) A s ss t 



A s t A 

(3 1'. (t,t') £ Step(a) A s' « t') 

(3m £ U. dom(a) m) A 1/^0 A 



def uniStep-respect = MU a s s' t. 

( s,s ') £ Step(a) A s « t — > (3 1'. (t,t') £ Step(a) A s 



'Zf) 



def uni-Local -respect-right = MU a s t. ^(3m £ U. dom(a) m) A [/^ 0 A 
— > (3 1'. (■ t,t ') £ Step(a) A s « If) 

def uni-Local -respect = Local -respect -left A uni-Local-respect-right 



uni-Local -respect implies uniStep-respect, as well as uni-Local -respect-right 
implies Local-respect-right. A uniform version of Local -respect-left, is not re- 
quired because one can show 

lemma uni-Local-respect.Jeft.D : Local -respect-left. — > 

(s, s') £ Step(a) A ^(3m £ U. dom(a) m) A s s=s t — > s' ~ t 
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With the help of the uniform variants of step consistency and step respect, 
the remaining notions and lemmas carry over from the deterministic variants, 
essentially retaining their structure, and we obtain 

theorem Noninterference : uni Step .consistent A 
uni-Local .respect A output-consistent — » Noninterference 

In applications of this theorem, in general it will take more effort to prove 
the uniform variants of step consistency and local respect. Yet in the important 
special case of a two-level hierarchy of domains {H, L}, to which every transitive 
policy may be reduced, the only non-trivial case is { L }, which happens to be the 
single standard case that has to be considered also for the non-uniform variants. 

If in an application the relation Step(a) is functional from the outset or has 
been transformed to be functional for every a, i.e. Vs t t' . ( s,t ) G Step(a) A 
(s,V) € Step(a) — > t = t', the original and the uniform variants of step consis- 
tency and step respect etc. coincide and therefore it is sufficient to prove only 
the simpler original versions. 

5 Nonleakage 

Classical noninterference is concerned with the visibility of events , or to be more 
precise, with the secrets that events introduce in the system state and that are 
possibly observed via outputs. While this is the adequate notion for some sorts of 
applications, there are many others where the concern is not to hide the fact that 
some secret event has (or has not) occurred but to prevent that initially present 
secret information leaks out of the domain(s) it is intended to be confined to. The 
most important of them apparently is language-based information-flow security 
where type systems give sufficient conditions for confidentiality; see [SM03] for 
an up-to-date survey. Its semantical core is that variations of high-level data 
(input) should not cause a variation of low-level data (output). In our notation, 
assuming that s ~ t means that the low-level portions of the two states s and 
t are equal, this can be written as s ~ t — * step(a , s ) ~ step(a, t) which is 
nothing but the common structure of step consistency and step respect. 

Language-based security typically handles only the two-level domain hier- 
archy {H,L} and in particular does not address intransitive policies. Inspired 
by our results on noninterference, we generalize it to arbitrary multi-domain 
policies. As already argued in §4.2 and depicted by Figure 1, it then becomes 
important to take into account the domain an action or transition (which in the 
automata-oriented setting is the analogon to atomic statements in the program- 
ming language setting) is allowed to read from. Therefore, the above formula 

has to be generalized to ( domfa ) u — > s ~ ^ t) A s ~ t — > step(a, s ) ~ 
step(a,t ), which is nothing but the conjunction of weak step consistency and 
step respect. The conjunction of the two premises can equivalently be written 

sources(a'~'\],u) 

as s sa t, and further generalizing this idea from a single step to an 

arbitrary sequence of actions, we arrive at the new notion of nonleakage. 
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5.1 Notion 

A system is said to be nonleaking iff for any pair of states s and t and observing 
domain it, the two states resulting from running any action sequence a on s and 
t are indistinguishable for u if s and t have been indistinguishable for all domains 
that may (directly or indirectly) interfere with u during the run of a: 

sources(ot,u ) u 

def nonleakage = Va s u t. s « t — > s <1 a t <1 a 

Or put in other words, for any sequence a of actions performed by the system, 
the outcome of it’s observations is independent of variations in all domains except 
for those in sources{a 1 u ), from which (direct or indirect) information flow in 
the course of a is allowed. Therefore, the relation in the premise is not simply 
the unwinding relation s ~ t as for language-based security but the conjunction 
of all s A t where v £ sources(a , it). 

As motivated above, nonleakage can also be seen as the global criterion on al- 
lowed vs. actual information flow between domains that is induced by the local 
criteria of weak step consistency and step respect depicted by Figure 1. 

Note that in comparison to the theory of noninterference, purging is not 
needed, and we do not relate the outcome of runs of different action sequences 
on the same initial state Sq but of the same action sequence on two states suit- 
ably related at the beginning. Moreover, the unwinding relation is used not only 
as part of the proof technique, but also for specifying what a domain is allowed 
to observe. Indeed, it is a rather common approach (cf. [RG99]) to define non- 
interference in terms of an unwinding relations. 

The above notion that initially present secrets do not leak can be simulated 
using noninterference: by prepending all system runs with a sequence of secret 
actions that produce the secrets in question and considering all subsequent ac- 
tions non-secret such that they will not be purged. After the initial sequence, 
the two intermediate states reached in the purged and in the non-purged run 
are thus handled by noninterference in the same way as by nonleakage. Still we 
believe that is worthwhile to have the simpler, independent notion of nonleakage 
that expresses the desired information flow property directly. 

5.2 Unwinding 

For nonleakage and its descendants introduced below, the unwinding techniques 
are analogous to those for noninterference. From the above introduction of non- 
leakage, it is easy to see that nonleakage is implied by weak step consistency, 
step respect, and output consistency, whereas local respect is not required: 

theorem nonleakage : 

weakly step-consistent A step-respect A output-consistent — > nonleakage 

Apart from the fact that nonleakage can handle an arbitrary number of 
domains and arbitrary interference relations between them, the other major 
difference to language-based security is that, due to the more general automata- 
tlreory setting, we cannot give a type system that allows for static checks of 
confidentiality (provided the type system is sound). Instead, unwinding gives 
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local semantic conditions for confidentiality, which are harder to verify but on 
the other hand are (presumably) complete. 

5.3 Weak Nonleakage 

sources(ca,u ) 

The assignment of domains to actions and the resulting relation ss gives a 

very fine-grained control over the information flow caused by action sequences a. 
Often this is not actually needed (or possible), namely if actions are not distin- 
guished or else domains are not assigned to them, such that individual input 
domains of transitions cannot be specified. Replacing sources(a,u) with super- 
sets not referring to particular actions, we obtain weaker variants of nonleakage. 

Using chain(a , u), the set of all domains that may interfere with u via a chain 
of domains whose length is at most the length of a, we obtain weak nonleakage: 

chain(ct,u ) u 

def weakjnonleakage = Va s u t. s ss t — » s < a jj t < a 

For any action sequence a, any domain u may be influenced only by domains 
linked to u via up to a chain length given by a. One can understand this 
notion as an inductive, multi-domain generalization of language-based security, 
interpreting atomic statements as unclassified actions and attributing program 
variables a domain structure with a possibly intransitive interference relation. 

As sources(a,u) is a subset of chain{a,u), nonleakage implies weak-nonleak- 
age. Due to the use of chain, in unwinding proofs it suffices to use very weak 
versions of step consistency and step respect that allow one to assume that 
the unwinding relation holds for all domains that may influence the current 
domain u. Moreover, since the domains of actions do not longer play a role, step 
consistency and step respect collapse into a single notion: 
def weakstep-consistentjrespect = 

{it;| w^u} u 

Vs u t. s ss t — > Va. step(a, s ) ~ stepia , t) 

This notion can also be seen as the direct generalization of language-based secu- 
rity to transitive multi-domain policies. Here we use it for unwinding, as follows: 
theorem weakjnonleakage : 

weakstep-consistentjrespect A output-consistent. — > weakjnonleakage 

5.4 Transitive Weak Nonleakage 

If actions do not have domains associated with them and additionally the length 
of a -chain is not of interest, for instance if the interference relation is tran- 
sitive, we can further replace chain(a,u) with the even simpler {ic w u }: 

{it; | w^u} u 

def transjweakjnonleakage = Vs u t. s « t — > Va. s < a t <s a 

Transitive weak nonleakage expresses that if two states are initially indistin- 
guishable for all domains that may influence u, then u cannot tell them apart 
after any sequence of actions. We share our experience using it (for the nonde- 
terministic case) in §7. Actually, the application described there had motivated 
our research on noninterference and its variants presented in this article. 
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For transitive policies, weak-nonleakage implies transjweak-nonleakage , 
hence we obtain 

theorem transjweak-nonleakage : 

weakstep-consistent jrespect A output-consistent — > trans -weak -nonleakage 

Note the strong similarities between the global property of transitive weak non- 
leakage and the associated local criterion weakstep-consistent-respect. 



5.5 The Nondeterministic Case 

All results on nonleakage generalize to the nondeterministic case in analogy with 
noninterference. We give the formal details without further ado in Appendix B. 



5.6 Observation and Unwinding Relations 

The notion of nonleakage and its connection with the proof of unwinding prop- 
erties gives rise to some new insights on observational equivalence (or preorders) 
and their connection with unwinding relations. 

The observational equivalence s < a t < a can be seen as equal outcome of 
tests on s and t : an attacker belonging to domain u tries to distinguish the two 
states on their secret contents by attending and/or executing actions a. This is 
closely related to the passive and active attacks defined by Zdancewic and Myers 
[ZM01]. 

Recall that in the deterministic case, the observed outcome of tests is solely 
output(u,run(a, s)) and output(u,run(a,t)), respectively. In the nondetermin- 
istic case, where we use the observational preorder s <1 a ^ t < a, the outcome 
is additionally the enabledness of the event sequence a. If output respects the 
unwinding relation ~, our observational equivalence seems to be equivalent to 
£[«] defined in [ZM01]. Since any output may be encoded by the enabledness of 
certain “probing” actions, our observational preorder is in fact also very similar 
to the one implicitly used by Mantel [Man03, Remark 5.2.2], namely, preserva- 
tion of enabledness for every sequence a of visible events. The only difference is 
that this preorder is weaker because it restricts a to non-secret events (from ids 
perspective), i.e. there is no chance for “higher-level” events accidentally helping 
u to distinguish the two states. One can - and we do - allow for an arbitrary 
mixture of secret and non-secret events because the unwinding relation is pre- 
served not only by (weak) step consistency dealing with the visible actions, but 
also by step respect dealing with the invisible ones. 

Mantel states that preservation of enabledness (for sequences of visible events) 
is implied by the unwinding relation, which in the above sense is analogous to 
output consistency requiring that equality of outputs is implied by unwinding. 

As already mentioned, neither Mantel’s nor our theory requires that the 
unwinding relation is reflexive, symmetric, or transitive, while the observational 
equivalence (or preorder) is weaker and necessarily reflexive and transitive. One 
could regard the latter as the reflexive and transitive closure of the former, and 
for many applications, both relations even coincide. 
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6 Noninfluence 

As Mantel and Sabelfeld [MS01] point out, it is important to combine language- 
based security (of information flow in local computations) and the secrecy of 
(inter-process communication) events. They achieve this by translating a multi- 
threaded while-language with variables labeled either high or low to state-event 
systems with deterministic transitions and prove the two corresponding notions 
of security equivalent. We can also deal with both worlds (even for intransitive 
policies and unrestrictedly nondeterministic systems) by combining noninterfer- 
ence and nonleakage, obtaining a new security notion that we call noninfluence: 

sources(at,u ) u 

def noninfluence = Va s u t. s « t — > s < a ^ t < ipurge(a , u ) 

Note that here no translation between system descriptions is needed. 
Noninfluence is the adequate security notion for state-oriented systems if both 

— the occurrence of certain events, which may introduce new secrets, should 
not be observed, as with classical noninterference, and 

— initially present secret data should not be leaked. Allowing for any two in- 
distinguishable initial states s and t rather than the same (and fixed) initial 
states so gives the extra strength of noninfluence over noninterference. 

One could also define a variant of noninfluence resembling the stronger for- 
mulation of noninterference allowing arbitrary insertion and deletion of actions. 

It is interesting to observe that the proof of the main unwinding theorem 
for noninterference (cf. §4.2) uses a lemma which already states essentially the 
above formula (apart from applying the output function on the result of run), 

sources(ot,u ) 

namely s « t — > run(a,s ) = run(ipurge(u,a),t) . Rushby uses it too 

[Rus92, Lemma 5], yet he does not attribute to it an independent value. Its extra 
strength is needed to get through the main induction in the proof, though later 
it is specialized to s = t = sq to deduce noninterference. Thus, noninfluence 
implies noninterference if Vu. so ~ so holds. 

In the light of the new notion of noninfluence, both noninterference and 
nonleakage are just special cases where either leakage of initial secrets or the 
visibility of secret events does not play a role. Nevertheless, it makes sense to 
keep both of them because they are simpler than noninfluence, and nonleakage 
does not require local respect. 

From the observation in the last paragraph it will be clear that the unwinding 
theorem for noninfluence requires only those preconditions already used for for 
noninterference, even though the conclusion is stronger - it simply makes the 
strength already contained in [Rus92, Lemma 5] available as a security prop- 
erty in its own right. Recall that technically it is even slightly stronger because 
unwinding may be an arbitrary (even nonreflexive) relation rather than an equiv- 
alence. 

theorem noninfluence : 

weakly step-consistent A local -respect A output-consistent. — * noninfluence 



The generalization to the nondeterministic case is given in Appendix B. 
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7 Security of the Infineon SLE66 

As a concrete example of applying the purely state-based notion of nonleakage, 
we sketch an extended security analysis of the Infineon SLE66 smart card proces- 
sor. The main security objective for this device is that part of the chip-internal 
security mechanisms and secret data like the master encryption key is not leaked 
to any non-autlrorized observer or manipulator, called “spy”. 

In the course of the evaluation of the chip according to ITSEC and Com- 
mon Criteria, an abstract formal security model, the so-called “LKW model” 
[LKWOO] has been developed and later machine-checked [OL02] using the ISM 
approach and toolset [ON02]. This model takes a rather naive view of informa- 
tion leakage: a secret value is revealed to the spy if and only if its representation 
appears on the external interface of the chip. This interpretation does not ac- 
count for partial or indirect leakage of information that may be used to deduce 
at least certain properties of the secret values. 

We have improved the security analysis using transitive weak nonleakage 
(for nondeterministic systems). This is the adequate notion for the SLE66 be- 
cause the observability of actions does not play a role, but the information 
flow between domains. Only two security domains, Sec and NSec, are distin- 
guished, so the interference relation is trivially transitive and we have to show 
weak -uni-Step -consistent -respect only for U = {NSec}, as explained at the end 
of §4.3. Since encryption is not explicit in the model, we do not have to deal with 
bogus “interference” of secret keys with encrypted outputs, though this would 
be possible by stating an intransitive information flow via the encryption unit. 

For the unwinding relation we choose an equivalence that states equality for 
all parts of the chip state that is allowed to be observed from outside, namely 
the phases of the chip life-cycle, the availability of chip functionality (see below), 
and all non-secret data values. Once the right relation has been chosen, the proof 
is rather schematic and in this case not very difficult. The only complication is 
that the property holds only for reachable states for which suitable invariants 
hold, but we can re-use the invariants that we had already shown during the 
previous analysis. 

Conducting the proof, we obtained the following results. 

— It is crucial that chip functions do not internally leak secret data or give them 
away via the chip interface. Since chip functionality is heavily underspecified, 
this auxiliary property cannot be proved but has to be provided as an axiom. 

— The possibility that at most one (encrypted) secret data value or the encryp- 
tion key itself gets leaked is explicitly allowed by the chip designers because 
there is no practical means to prevent this. This leakage is actually found 
during the proof. Yet it does not do harm because immediately thereafter 
the chip gets completely locked such that no more values can be obtained 
and thus not both some encrypted data and the key are known to the spy. 

— The chip cannot avoid leaking the availability even of those functions that 
are considered to be secret (whereas their actual code is not leaked). 

— Apart from the exceptions just given, no secret information, not even any 
partial information about secret data, can be leaked. 
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8 Conclusion 

We have refined Rushby’s work on noninterference by rectifying its minor short- 
comings concerning transitive vs. intransitive policies and the requirements on 
the unwinding relation. This opens a wider range of applications and enables 
stronger results like in Appendix A. We have significantly extended Rushby’s 
theory to handle nondeterministic systems, introducing uniform step consistency. 

We have introduced notions of information flow security that have not been 
considered before but naturally arise from re-interpreting Rushby’s unwinding 
lemmas, and gained new insights in the nature of unwinding and observability. 
Nonleakage has a high application potential because it generalizes language- 
based security to arbitrary policies and state-transforming systems. Noninfluence 
combines this with classical event-oriented noninterference. 

It should be worthwhile conducting further theoretical investigations, e.g. 
on completeness of the unwinding conditions and the comparison with related 
notions like (robust) declassification and bisimulation. 

Our theory has been implemented in the interactive theorem proving system 
Isabelle/HOL. As the example of the SLE66 shows, it is ready to be applied in 
the formal security analysis of state-oriented systems. 

Acknowledgments. We thank John Ruslrby, Heiko Mantel, Peter Ryan, Volk- 
mar Lotz, Stephan Merz, Tamara Rezk, and several anonymous referees for their 
encouragement and feedback on drafts of this paper. 
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A Access Control Interpretation 

As a (rather abstract) application of our strengthened noninterference theory, 
we give an improvement of Rushby’s access control interpretation [Rus92, §2.1]. 

Employing our unwinding theorem which works for both transitive and in- 
transitive interference relations, we only have to show weak step consistency. 
Doing so, we have stronger preconditions and thus can dispense with the mono- 
tonicity condition u v — » observe(u) C observe(v), which, according to 
Rushby, had forced the transitive completion of the policy. In effect, we gener- 
alize his access control interpretation to the general (possibly intransitive) case. 
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In order to express access control, the system model is extended by adding 
structure to the state, which now becomes a function that maps names to values: 

contents : state x name — » value 

Policies are refined accordingly, associating each domain with a set of names 
of objects that it is allowed to read and write, respectively: 

observe : domain — > p(name) 
alter : domain — » p{name) 

Following Rushby, for the application of the unwinding theorem, we use the 
canonical unwinding relation induced by contents and observe, 

def s rt t = Vn £ observe(u). contents(s,n ) = contents(t, n) 

which happens to be an equivalence, though we do not take advantage of this. 

Rushby introduces three reference monitor assumptions. The first of them is 
the already introduced output consistency: 

def RMA\ = output-consistent 

As a matter of fact, if the output function yields all values observable for 
the given domain, i.e. outputfu, s) = {content s(s,n) |n| n € observe u}, output 
consistency is fulfilled immediately. 

Rushby’s second reference monitor assumption states that if an action a 
changes the value at some location n, the new value depends only on domfa). 
Due to our observation that weak step consistency is sufficient in any case, we 
can use a weaker variant of it, offering the extra premises domfa) u, s ~ t, 
and n £ observe u which allow information flow into n from any domain u that 
is allowed to observe n and that may be influenced by the input domain of a. 

_ . w dom(a) i / \ it 7 

del RMA 2 = vaustn.s ~ t A domya) ^ u A s ~ t A n £ observe u A 
(contents(step(a,s),n) 7 ^ contents{s,n) V 
contents(step(a,t),n) ^ content s(t,n)) — > 
content s(step(a, s),n) = contents(step(a,t),n ) 

Interestingly, weak step consistency can now be derived from the second 
reference monitor assumption alone: RMA 2 — > weakly ^step .consistent 
The third assumption, stating that any changes must be granted by alter, 

def RMA 3 = 

Va s n. contents(step(a,s),n) 7 ^ contents(s,n) — > n £ alter(dom(a)) 
in conjunction with the remaining condition of Rushby’s Theorem 2, 
def AC -policy -consistent = Vit v. alterfu) fl observe{v ) yf 0 — > u ^ v 
implies local respect: RMA 3 A AC -policy -consistent — > local-respect. 

Hence, we can prove enforcement of access control 
theorem access-controlsecure : 

RMA\ A RMA 2 A RMA 3 A AC -policy -consistent — > noninterference 
under weaker assumptions than Rushby does: we do not require that 
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— observe and alter induce a transitive information flow policy, 

— granted information flow induces a hierarchy of observable locations, nor 

— information flow into a location n from any domain that is allowed to ob- 
serve n and that may be influenced by the input domain of the current action 
does not occur. 



B Nondeterministic Nonleakage and Noninfluence 

Nonleakage. 

sources(oi,u) u 

def Nonleakage = Va s u t. s « t — > s < a ^ t < a 



theorem Nonleakage : 

uniStep-Consistent A uniStep-respect A output-consistent — > Nonleakage 



Weak nonleakage. 



chain(a,u ) u 

def uieak-N onleakage = Va s u t. s ~ t, — > s < a ^ t, < a 

As above, Nonleakage — > weak-N onleakage. 

def weak-uniStep-consistent-respect = \/U a s s' t. U ^ 0 A 

fw\ w^u\ U 

(s, s') G Step(a ) A (Vu £ U. s ~ t ) — ► (3 t . (f, t') G Step(a ) As'« t') 



theorem weak-N onleakage : 

weak-uniStep-Consistent-respeet A output-consistent — > weak -Nonleakage 



Transitive weak nonleakage. 

{u»| W'^-u} u 

def transjweak-N onleakage = Vs ut. s « t — > Va. s<a^f<ia 

For transitive policies, weak-N onleakage — > transjweak-N onleakage, hence 

theorem transjweak-N onleakage : 

weak-uni-Step-Consistent-respect A output-consistent — » 
transjweak-N onleakage 



Noninfluence. 

Paralleling the deterministic case as far as possible, we define 
def Noninfluence = 

sources(ct,u ) _ _ u 

Va P s u t. s ~ t A ipurge(u, a) = ipurge(u, (3 ) — > s < a ^ t, <\ (3 
and obtain 

theorem Noninfluence : 

uniStep-Consistent A uni-Localjrespect A output-consistent — > Noninfluence 
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Abstract. Access control languages which support administrative con- 
trols, and thus allow the ordinary permissions of a system to change, have 
traditionally been constructed with first order predicate logic or graph 
rewriting rules. We introduce a new access control model to implement 
administrative controls directly in terms of the security properties - we 
call this Security Property Based Administrative Controls (SPBAC). 
Administrative approval is required only when a security property is 
changed (violated) relative to the current configuration. We show that 
in the case of information flow, and its effects on both integrity and confi- 
dentiality, SPBACs are implementable, and the necessary administrative 
approvals exactly determinable. 



1 Introduction 

In sufficiently static protection systems, such as Lattice-Based Access Controls 
(LB AC) [1] or Type Enforcement (TE) [2,3], security properties such as allowed 
information flow are decidable. 

Unfortunately, such systems are inflexible. For LBAC, consider the two most 
important security models, Bell-LaPadula [4] and Biba [5]. Both of these provide 
absolute security properties: In Bell-LaPadula, the security property ensures that 
the readership of information (i.e., the confidentiality) is never enlarged, and 
hence information is never disclosed beyond its original readership. In Biba, the 
quality (“integrity”) of an object is bounded by its lowest quality input, ensuring 
that lower quality information does not pollute higher quality information. 

In real systems, the security properties are not uniformly applicable. For ex- 
ample, even military security systems require the ability to declassify informa- 
tion, overriding the confidentiality security property of Bell-LaPadula. Similarly, 
information flow integrity is not limited by Biba Integrity considerations: It is 
possible to increase the ultimate quality of information beyond the worst qual- 
ity input by cross checking the information. Unfortunately these overrides, while 
necessary, are not part of the LBAC model. 

On the other hand, TE does not have these restrictions. TE controls are 
sufficient to enforce these properties yet flexible enough to selectively not enforce 
them. We believe that this is a significant advantage over LBAC and one of 
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the primary reasons that TE is gaining in popularity. TE also enables other 
security properties to be enforced which are difficult or impossible to enforce with 
LBAC, such as specifying the executables allowed to read or write an object of a 
specific type. Our concern here, however, is only with information flow security 
properties. 

TE’s flexibility is limited since there is no provision for modifications to the 
protection scheme, and hence there is very limited control over whether or how 
the protection system can change. In contrast, with LBAC the lattice can be 
augmented in well controlled ways ensuring that the security properties can be 
maintained - for example, by adding another category or compartment. But since 
TE selectively enforces security properties, it is not clear when making changes 
whether a given security property should hold in that part of the system (e.g., 
confidentiality) or whether it can be violated (e.g., declassification). 

We note that although both Bell-LaPadula and Biba have their genesis in 
military security, they apply selectively to all environments. For example, an 
owner of a personal computer may want to ensure that her credit card number 
is not disclosed outside a limited number of trusted vendors 1 . Or a medical 
practice may want to ensure that information entered into patient files is from a 
hospital, lab, or staff trusted to provide such information. While it is always safe 
to maintain such security properties, real systems cannot impose these properties 
uniformly across the entire system. 

It seems desirable to combine the elegant security properties of LBAC, and 
their implications for how the system can evolve over time, with the flexibility 
of selective application of security properties. To enable security properties to 
hold selectively, administrative controls - those which enable changes to ordinary 
permissions - are needed. We call the class of administrative controls introduced 
here Security Property Based Administrative Controls (SPBAC). 

In this paper, we describe a decidable mechanism for administrative controls 
which ensures that administrative approval is required exactly when information 
flow security properties are violated. Although there are other security properties 
besides information flow, the information flow based security properties are both 
interesting and important. For example, these administrative controls can be 
configured to ensure: 

1. Approval is never granted to violate a specific information flow security 
property at a fine grain. That is, the information flow security property may 
be inviolate in some parts of the system but not others or 

2. Approval may require specific individuals (specified in terms of groups) to 
concur in the approval. 

The protection system’s initial configuration defines not only the ordinary 
permissions, but also the administrative controls to enable a security property 
to be selectively enforced. Changes to the ordinary protection requires adminis- 
trative approval only if it modifies some existing security properties. 

1 The mechanisms discussed here are the access control part of providing such protec- 
tions; they need appropriate network authentication mechanisms to be complete. 
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Trivial changes to the protection system, that have no impact on the secu- 
rity properties, clo not require any approval 2 . This significantly simplifies the 
mechanism needed while ensuring that security properties are maintained. 

The paper is organized as follows: In Section 2 we review related work. In 
Section 3 we describe the mechanisms of our model to support ordinary - that 
is, non-administrative activities. Of particular interest is a new permission we 
call mayFlow. In Section 4 we describe the administrative controls and their 
rationale. In Section 5 we show that the administrative approvals necessary can 
be exactly determined, identifying the security properties which are violated and 
requiring the appropriate administrators to concur in a change to the system. 
Finally, we conclude in Section 6. 

2 Related Work 

One of the problems that occurs with sufficiently dynamic protection systems is 
that security properties can be undecidable: Harrison, R.uzzo, and Ullman first 
showed that a security property, safety was undecidable in their model [6]. 

Sandlru’s Typed Access Model (TAM) [7] associates a fixed type with each 
subject and each object. Although TAM has the same undecidable safety prop- 
erty as HRU, Sandlru showed that if TAM is restricted to be monotonic then 
the problem is decidable. More recently, Soshi [8] showed that a different, non- 
monotonic restriction, Dynamic TAM, also has a decidable safety property, under 
the restriction that the number of objects in a system is bounded. 

Take-grant can be used to represent information flow issues which are decid- 
able [9], but does not support administrative controls.. 

RBAC models have traditionally been constructed using either first order 
predicate logic or graph transformation rules. Unfortunately, either of these con- 
structions can lead to undecidability results. For example, both RBAC’96 [10] 
and ARBAC’97 [11] are undecidable [12,13]. The most vexing problems for de- 
cidability seem to arise from administrative controls. 

Tidswell and Jaeger created Dynamic Typed Access Control (DTAC) which 
extends TE to dynamic types and is capable of implementing administrative 
controls [14,15]. These were implemented as runtime checks in the operating 
system to ensure that various safety properties are not violated [16]. In this 
paper, we show how security properties can be enforced statically and enable 
administrators to understand when and where they are being violated. 

Koch and colleagues described a model based on graph transformations, and 
showed that it was decidable if no step both added and deleted parts of the graph 
[17, 18]. This means that no command may both remove and add privileges. This 
restriction can be viewed as a somewhat milder form of monotonicity. Take-Grant 
also obeys this restriction. 

We have recently shown that administrative controls for classical DAC sys- 
tems can be implemented in a decidable language [19]. The SPBAC model here 
uses both the groups and unary permissions of the DAC model. The full SPBAC 
information flow model is also decidable [20]. 

2 Some simple approval might be necessary to prevent creation of superfluous entities. 
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As with Foley, Gong, and Qian [21] we make extensive use of relabeling to 
encode protection state: Foley et al. allow a user to relabel an object to one she 
cannot access. In our case, relabels are used to change group membership and 
are associated with permissions. 

We note that while we discuss information flow, we do not consider covert 
flows, which in any event are tied to the execution model. 



3 Ordinary Privileges 

Our model consists of users, objects, labels, permissions, and groups. Each user 
is authenticated and individuals who can use the system are one-to-one with 
users. A process derives its authority to perform an operation from the user on 
whose behalf the process executes. 



3.1 Unary and mayFlow Privileges 

Privileges to access an object are based on the label of that object. Each label 
l and privilege p is mapped to a group of users who have privilege p on objects 
with that label. This mapping is defined when the label is created and thus 
the group is fixed, although the group’s membership can change. Each label is 
mapped to three groups: 

— r(l): the group which can read objects labeled l. 

— w(l): the group which can write, that is, create or modify, objects labeled l. 
Write privileges do not imply read privileges. 

— x(l): the group which can execute objects labeled l 3 . 

A new binary privilege, mayFlow is introduced to control information flow: 

— mayFlow(l, l 1 ): the group that can write V after having read l. This is a nec- 
essary, but not sufficient condition since mayFlow does not include privileges 
to read l or write V . 

Therefore, for a process executing on behalf of user u to read l and then write 
l', the following must hold: u € r(l) C\w(l') r\mayFlow(l, l'). Note that the above 
must hold for each l read prior to writing V . 

MayFlow need not be defined on all label pairs. For pairs on which mayFlow 
is not yet defined, the specified flow may not occur. Unlike with lattices, mayFlow 
is not transitive, so each allowed flow must be individually specified. 

Bell-LaPadula Example. Consider the diamond lattice shown below. Let cleared x 
be the group of users whose clearance level is x or above. Bell-LaPadula for this 
lattice can be represented with mayFlows as follows: 

3 Execute privileges are included here for completeness; they do not play any further 
role in this paper. 
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For all x, y such that in the lattice x < y: 
mayFlow(x,y) = clearedL 

All other mayFlows have the value of the empty group. 

In addition, for all clearances x: 

r(x) = w(x) = clearedx 

The user groups are defined taking advantage of the ability of our model 
to construct hierarchical groups (see the next subsection). Hence, clearedL C 
clearedMi C clearedu and clearedL C deared/v/2 C clearedn ■ Note, for exam- 
ple, that a process which reads objects labeled respectively Ml and H cannot 
then write an object labeled Ml since mayFlow(H, Ml) is the empty group. 

We note that Bell-LaPadula does not specify access control rules but rather 
describes constraints which must be satisfied by the access control rules. Many 
variants of Bell-LaPadula can be constructed by modifying the above rules or 
group construction. 

3.2 Groups 

The group structure is summarized here and is based upon Solworth and Sloan 
[19] where more details and examples can be found. 

A group set defines a collection of related groups. The structure of the group 
set enables relationships to be maintained between its constituent groups such 
as hierarchy of groups or partitioning of users between groups. Instead of using 
constraints to maintain relationships, our mechanism relies on permissions. 

Group objects are 1-for-l with users in the group set. Each group set contains 
0 or more group objects with labels (U, G) where U is a user ID and G is a group 
tag which is unique to the group set (the object does not have any contents, only 
its label is of interest). At any given time, for each group set and for all users 
U, there is at most one label whose first component is U. 

Group membership is defined using a set of patterns applied to the group 
object labels. Each pattern is of the form (*u, G) - matching any user with group 
tag G, or of the form (U, G) - matching user U and group tag G. Group relabels 
change group tags and hence group membership. 

Changing a user’s group membership within the group set’s groups is con- 
trolled by relabel permissions. The permission Relabel(G,G') = g enables a 
member of group g (the membership secretary) to change a group object labeled 
(U, G) to (U, G'), for any U. 

When adding a new user U to the system, U can be automatically added to 
the group set. The group set’s new user rule specifies an optional tag G. When U 
is added to the system, the group mechanism creates a group object with label 
(U,G). Group objects can only be created by the group mechanism, and only 
when initializing the group set or when adding a new user. 

A user U is removed by permanently disabling their login, after which C/’s 
group objects can be garbage collected. 
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The general properties of group sets are: 

— A group determines a set of users and each group is in some group set. 

— A group’s membership is controlled by a membership secretary which is itself 
a group. 

— New users can be automatically added to a group set (and to its groups) as 
a consequence of creating the user. 

— Changes in group membership can be constrained by relabel rules. 

— Groups in a group set can be constructed so that the groups have relative 
structure, such as hierarchy (one group always contains another) or partition 
(a user cannot be simultaneously a member of two separate groups). 

The membership secretary mechanism constrains group membership and is inde- 
pendent of the security property administrative controls discussed in Section 4. 

This completes the definition of groups but there is an issue which arises 
when a user U is removed from a group g via a relabel. Under this condition, to 
maintain the relative structure properties on group sets, all processes running on 
behalf of U and having used privileges based on membership in g are terminated. 

4 Administrative Privileges 

Conceptually, the system is configured, verified, and then made operational, or 
goes “live”. Before the system goes live, entities such as groups, labels, objects, 
permissions, and users may be created. 

After the system goes live, instances of each of these entities can still be 
created. To create entities after the system goes live which modify the security 
properties, security property approval must be given appropriate both to the 
security properties changed and to the part of the system where the changes 
occur. 

We distinguish three separate levels of actions that can be performed in our 
model: 

Ordinary. These actions are governed by the mechanism described in Section 3, 
and include (1) create, read, and write objects and (2) change membership 
of groups (including the addition of new users) 4 . 

SysAdmin Actions. Actions performed by system administrators (except for 
adding new users) but which do not violate any security property. These ac- 
tions include the (1) creation of new groups, (2) definition of new mayFlows 
not requiring security property approval, and (3) the creation of new labels. 
Security Property Approvals. Actions performed by administrators which 
require approval because they directly or indirectly effect security proper- 
ties. When security property approvals are requested, an administrator is 

4 The rationale here is that since any user could be in a membership secretary and 
therefore change group membership, and since new users only gain privileges through 
group membership, it is logically consistent to have in the same category everything 
about how a group evolves. 
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given all the information needed to make a decision. The security property 
approvals include (1) integrity relations and (2) mayFlows which violate 
existing security properties. 

The idea here is that SysAdmin Actions can be delegated to technical adminis- 
trators because they do not effect the core security properties of the system. 

In Figure 1, our SPBAC hierarchy is shown. The layered design ensures a 
given layer’s implementation only depends upon lower layers; hence there can 
be no loops in the layer dependencies. As a consequence of our layered design, 
administrative controls have no effect over groups, and in particular over group 
membership. Hence, security property approvals need to be resilient across all 
future group memberships. (The group membership mechanism restricts group 
membership, so this is a meaningful goal). 



Ordinary Permissions 
Administrative 



groups 



Fig. 1. Access Control Hierarchy 



Our primary focus shall be on the effect of defining new mayFlows. (Note 
that existing permissions cannot be changed 5 once established). Secondarily, we 
shall be concerned with the issues that effect future approval of mayFlows. 

In subsection 4.1 we will describe the administrative entities that need to be 
added, beyond what is necessary for ordinary permission, to support changes to 
the information flow properties of the system. In subsection 4.2 we describe how 
we keep track of the relevant past actions. In subsection 4.3, we describe the 
conditions under which security property approvals are required. 

4.1 Administrative Entities 

We introduce here the entities to support administration of information flow 
security properties. These are the administrative permissions associated with 
labels and integrity relations on pairs of labels. 

Administrative permissions associated with labels. For information flow, all se- 
curity property approval is associated with labels. In particular, for each label 
we define three administrative permissions at the time of label creation: 

ac(l) The (administrative) group which can approve exceptions to confidential- 
ity for label l\ 

5 However, existing permissions can be added incrementally by defining a new 
may Flow. 
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ai(l) The (administrative) group which can approve exceptions to integrity for 
label l. These exceptions either allow flows violating current integrity rela- 
tions or create additional integrity relations; and 
af(l) The (administrative) group which can approve flows into or out of l. 

We note that the first two permissions, ac(l) and ai(l ), are for security property 
approvals while the last permission, af(l) does not effect security properties. 

We shall require that administrative groups ~ those used for administrative 
permissions - are distinct from ordinary groups - those used for ordinary per- 
missions. Furthermore each administrative group is the only group defined in its 
group set. These properties hold not only for the administrative group, but also 
for its membership secretary (and recursively for their membership secretaries, 
etc.). The purpose of these restrictions on groups is to ensure that (i) adminis- 
trative permissions don’t interact with ordinary permissions and (ii) that there is 
no interaction between administrative groups in which a group being nonempty 
requires another group to be empty. 

Integrity relations. Each ordered pair of labels can (optionally) be associated 
with an integrity relationship. (If no integrity relationship is defined between a 
pair of labels, we must assume the worst case). From an integrity standpoint, 
it is always safe to include information from an object with greater integrity 
into one with lower integrity. Hence, no integrity security property approvals are 
required to allow a write to an object with integrity level i after having read 
only objects whose integrity levels are at or above i. 

Definition 1. The relative integrity of two labels, l and V is written 
geqlntegrity(l,l'), meaning that the integrity level of l is at least as high as 
V . The transitive closure of the relationship geqlntegrity is called the effective 
integrity and is denoted l>l'. It is reflexive and transitive. 

Note that the effective integrity is not a partial order, because there can exist 
two distinct labels l ^ l' with both geqlntegrity (l, l') and geqlntegrityff ,1). 
Instead, effective integrity is a poset of integrity levels , where multiple labels 
may correspond to one integrity level. 

4.2 Tracking Past Actions 

The analysis provided in section 5 will consider future actions. In order for this 
to track all flows, we also need to track past actions. The information on past 
actions is all relative to the flows over a defined mayFlow(l, l'). 

We define didFlow(l,l') to be the set of labels that could have actually 
flowed across mayFlow(l,l'). The set didFlow(lJ') tracks the actual flows, and 
is updated every time a process writes V after having read l. 

Let Howed(l) = Ucesystem didFlowff , l ) U {l}. Then: 

didFlow{l , l') <— didFlow{l , l') U flowed(l) 

Note that the granularity of information is at the label level - not the object 
level - and hence forms an upper bound on information flow. We next define 
flow along V to capture past flows. 
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Definition 2. Let V be path [Zi , Z 2 , . . . , l n ]. There was a (past) flow along V 
if fl € didFlow(li,li + i) for 0 < i < n. 

4.3 Security Property Approvals 

We now consider actions which might require security property approval. 

As described in Section 3.1, if mayFlow(l , l') is not defined, then information 
cannot directly flow from l to l' , absent an action to create a mayFlow edge. 

The mayFlow relation describes a permission. We shall use the the term can 
flow to denote the flows that are actually possible without any SysAdmin actions 
or security property approvals. That is, information can flow from l to l' if and 
only if there is a sequence of labels [l = fl, fl, ■ ■ ■ , l' = l n } such that in sequential 
order for i = 1 . . .n — 1 some user itj can (1) read li, (2) write U+i, and (3) 
mayFlow li to fl+\. Such a sequence of labels is called a can flow path. Can flows 
denote possible future flows. To get all possible flows, actual past and possible 
future flows must be combined. Hence given a past flow along [fl, fl, ■ ■ ■ ,lk\ and 
a can flow [fl, fl+i, ■ ■ ■ fln\ there is an extended can flow [fl, fl, ■ ■ ■ , l n ], because 
that information has flown from 1 1 to fl and could flow to l n . 

Now we consider the requirements for security property approval to add a 
mayFlow definition for a pair of labels. In an SPBAC, security property ap- 
proval is needed for exactly those changes that affect the security properties of 
the system. The effect can be either direct or indirect. For example, adding a 
mayFlow definition changes the “extended can-flow paths” in the system and 
so obviously is directly related to security properties. Other operations, such as 
defining an integrity relation, are indirectly related to the security properties 
since their definition is used in determining whether the security property holds. 

Confidentiality depends on both the extended can-flow paths and on the 
readership. The readership is totally defined by the read permissions on a label 
(i.e., r(l)) together with the group definition. Defining confidentiality in terms 
of extended can flow paths means that the extended can flow path [fl,fl,fl] is 
different from [Zi , Z 4 , Z 3 ] even if the only readership which can be less than fl is 
fl. The rationale is that Zi’s administrator may trust the group who can write 
fl (after reading fl) to remove sensitive information when doing so, but is un- 
willing to similarly trust the corresponding groups for fl. This example is shown 
graphically in Figure 2. It is exactly the violation of security properties (such 
as information flow) which must be examined by administrators to determine 
appropriate trust. These trust issues are external to the system - that is, they 
must rely on the judgment of the trustworthiness of groups - and hence can only 
be decided by administrators. 

Integrity is, as usual, more subtle than confidentiality. Biba captures the 
integrity issues arising from the quality of inputs 6 . The quality of the inputs 
cannot be determined from the access controls but must be separately specified. 

6 The various implementations of Biba, including low-water mark and ring integrity, 
do not vary in what information may flow but only in how the processes are labeled 
and whether objects are relabeled. 
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Fig. 2. Path based approval where edges indicate can flow 



Integrity security property approval is needed only on information which 
flows from li to l n where li ^ l n and for which the extended can-flow path used 
have not been previously approved. Such a flow is reasonable only in limited 
circumstances - that is, when there is some action which increases the quality of 
the output over the input. Hence, any time “questionable” inputs are incorpo- 
rated somewhere along the chain, ai(l n ) must give security property approval. 
For example, integrity can be raised by a user with sufficient judgment and/or 
knowledge to vet the information or by cross checking against various sources. 
The entity that so raises the level can either be a user or a program. Once again 
the particular extended can-flow path is critical, because only the path ensures 
that the integrity has been raised in an appropriate way. 

We next give formal requirements of security property approval. Adding a 
new mayFlow(l, l') gives rise to a new set of extended can-flow paths. If there 
exists a new extended can-flow path P = [li,h, ■ ■ ■ ,l n ] such that: 

Confidentiality. It is possible that r(l n ) % r(l i) then approval by ac(l\) is 
needed. 

Integrity. The condition 1 1 ^ l n holds then approval by ai(l n ) is needed. 

In addition, approval is required by af(l) and by af(l'), but these are not security 
property approvals, they are merely SysAdmin actions. We are also interested in 
any indirect effect which would change the approvals needed by a direct effect. 
There is only one indirect effect which arises from adding an integrity relation- 
ship. 

Add integrity relationship. Unlike confidentiality, which is defined implicitly 
via the read permission, integrity must be defined separately from permissions. 
Hence, to define this new relationship geqlntegrity(l 1 1 1 ) all labels whose integrity 
is effected by the relationship must agree. 

It is flow from higher integrity levels to lower integrity levels which requires 
no approval. Hence, establishing a relationship geqlntegrity(l,l') that induces 
l 0 l\ must be approved by ai(l i), since l\ is agreeing to accept future flows 
from Iq without question so it must approve the new relationship. 

5 Formal Results on System Properties 

In this section, we give a number of formal results about our system showing 
that the security property approvals can be exactly computed. We begin with 
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a discussion of an appropriate state space to represent such a system. Next we 
show that the mayFlow system is reasonable in the sense the we can exactly 
determine: 

— The can flow and extended can-flow paths; 

— The security property approvals needed for confidentiality and integrity for 
a new mayFlow definition; and 

— The flows possible without any security property approvals. 

Together, these show that everything needed to implement our administrative 
controls can be implemented. 

5.1 State Space of SPBAC 

Definition 3. A state of a system includes the following information about the 
system: set of current users, the set of current groups and their memberships, 
the set of current labels, the assigned permissions and integrity levels. The state 
space SS(so) is a directed graph on states that includes sq and every state 
reachable from so by a sequence of legal changes to the system, and has an edge 
(s, s') exactly when s' is a legal successor state to s. The ordinary state space, 
SSo(sq) is the subset SS(sq) reachable from so using only ordinary actions. 
The approvaless state space, SSa(so) is the subset SS(sq) reachable from sq 
without any security property approvals. 

The possible changes from one state to the next include: a user being removed 
or added to a group (including a new user being added to a group when added to 
the system), any SysAdmin actions, and any actions requiring security property 
approvals. 

Definition 4. A sequence of labels si = [Zi , I 2 , ■ ■ ■ , l n \ (e-g., a can- flow path) can 
be embedded in SS(sq) (respectively SSa{s 0 ), SSo(so)) (for information 
flow) if there exists a sequence of states ss = [<o = So> ti> £ 2 , • • ■ , t n -i], where 
for each 0 < j < n: 

— either tj = tj-i ortj is a successor oftj-i in SS(sq) (respectively SSa(so), 
SSo(sq) ) and 

— in state tj there exists a user who can (1) read lj, (2) write lj+i, and 
(3) mayFlowlfj ,lj + i) . 

Notice that a sequence of labels that can be embedded in SSo(sq) is a can- 
flow path. 

Determining Approvals for a mayFlow 

Confidentiality or integrity security property approval is needed when defining 
a new mayFlow(l, l 1 ) if the definition would add a new extended can-flow path 
that violates the confidentiality or integrity relation described in Section 4.3. We 
next exhibit an algorithm to determine this, developed in a series of lemmas. 

The key to determining approvals is generating the set of all can- flow paths. 
From this, we will then show how to calculate the new extended can- flow paths. 
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Lemma 1. There is an algorithm to determine which can- flow paths exist in a 
given state so of the system. 

Proof. We first show how to construct a finite state space from SSo(sq) - un- 
fortunately, SSo(sq) is not finite because of the addition of new users. The 
constructed state space contains only information about the groups, and in par- 
ticular two kinds of information about the groups: which groups are empty (for 
membership secretary) and whether there is a particular user who is simulta- 
neously a member of various read, write, and mayFlow groups for information 
flow. 

Then we show that a bounded algorithm can compute all the can-flow paths. 

The representation of SSo(s o) is an extension of the form used in [19]. We use 
a tuple of sets, one set for each group tag that exists in state So- The elements of 
these sets can be any or all of: (1) initial user IDs (for users existing in state so); 
(2) L — 1 newly minted user IDs, where L is the number of labels; and (3) the 
special symbol T, representing an arbitrary number of new users. (As we shall 
see, the reason that L-l newly minted user IDs are needed is that an existing 
can flow path will require at most L — 1 mayFlow traversals.) 

In our representation of the initial state of so, the elements of g' s group tag set 
include all users U such that a group label (U, G) exists in state so- Additionally, 
the newly minted user IDs and the element T are in G’s group tag set if some 
group set contains a rule for adding new users with tag G. The T indicates an 
unbounded number of group labels with tag G (one for each new user) could be 
added at any time after state so; the new IDs represent named new users. 

To determine successor states, we will need to know whether various groups 
in the current state are nonempty. Group go is nonempty in a state if and only 
if there is some group tag G such that group go’s pattern contains either 

1. the pair (*it, G) and the group tag set of G is nonempty, or 

2. the pair (U, G) and initial user XJ is in the group tag set of G. 

Now we compute successor states. Each relabel rule for group labels is of the 
form “For any user U, a group label (U, G) can be changed to (U, G') by any 
member of group m.” Such a rule leads to new states if both the membership 
secretary group m is nonempty in the current state, and G’s group tag set is 
nonempty. In this case, for each user ID U in G’s set, there is a successor state 
in which U is removed from G’s set and added to G"’s set. Additionally, if G’s 
set contains T and G'’s set does not contain T, then there is a successor state 
in which both contain T. This is because if there is an unbounded number of 
G group tags for added users, then using relabels we can create an unbounded 
number of G' group tags while still retaining an unbounded number of G group 
tags. Since we added new users to every initial group that could get new users in 
the initial state, we need not worry about the introduction of new users later.) 
There are only finitely many possible states, so the construction must halt. 

Now we need to compute the set of can-flow paths from this finite represen- 
tation of SSo(s o). A flow between two different labels l and l' can occur in a 
state s of SSo(sq) if and only if there is a user - either initial or named new 
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user - who is in all three groups r(l), w(l'), and mayFlow(l,l') in state s. (The 
L — l newly minted users are needed because it may be that no initial user could 
ever become a member of r(l) (~l w(V) fl mayFlow(l,l') but that a newly added 
user could. In the worst case, we would need L—l such newly added users, one 
for each edge of a flow path containing all L labels.) Now we compute for every 
state which ordered pairs of labels can have flow in that state. 

Now cf = [Zi , . . . , l„] can be embedded in 6hSo(so) if and only if there is a 
path through the state space starting at the initial state and passing through 
states where each can-flow edge (li,U+ 1 ) is possible, in order for 1 < i < n — 1, 
with no repeated states between any two can-flows (because we could delete 
such a cycle) . (It is possible that multiple successive can-flow edges could all be 
located in one state.) 

Corollary 1. For any two fixed, system state so and si, there is an algorithm 
to determine which extended can- flow paths exist in si and not in sq. 

Proof Sketch. First, for each of the two states, calculate all the can-flow paths. 
Next, for each of the two states, for each possible path V , determine whether 
there was a past flow along V using the didFlow information. For each of the two 
states, a path is an extended can-flow path if it can be formed as the concate- 
nation of a path with past flow and a can-flow path. Finally, take the difference 
of the two sets of extended can-flow paths. 

Lemma 2. For a fixed state of the system Sq, there is an algorithm to deter- 
mine which integrity security property approvals, if any, are needed to approve 
a request to define mayFlow(l a ,lb) = g. 

Proof. Calculate which new extended can-flow paths approving the request 
would add using Corollary 1. Without SysAdmin actions, the labels and the 
effective integrity relation are fixed. So for each new extended can-flow path, 
cf = [Zi, . . . , l n \, check if l\ P l n . If not, ai(l n ) must approve. 

Lemma 3. For a fixed state of the system sq, there is an algorithm to determine 
which confidentiality security property approvals, if any, are needed to approve 
a request to define mayFlow(l a ,lb) = g. 

Proof. Similarly to the proof the Lemma 2, calculate which new extended can 
flow paths would be added by approving mayFlow(l a ,lb) = g. For each new 
V = [Zi, I 2 , ■ ■ ■ , l n ], security property approval by ac(l\) is needed if in any state 
reachable from t„_ 1 , r(l n ) % r(l 1 ). 

We are now ready to state: 

Theorem 1. The exact security property approvals needed to define mayFlow 
(la, lb) = g are computable. 



Proof. It follows immediately from Lemmas 2 and 3. 
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Finally, we show that we can analyze which information flows are possible 
with no security property approval. That is, which flows could occur in the 
approvaless state space (using only ordinary actions and SysAdmin actions that 
do not require security property approval). This is an extension of Theorem 1. 

Theorem 2. Given any state so> it is decidable whether information can flow 
from label l to l' without any security property approvals. 

Proof. First, observe that we can still ignore the addition of new labels. Without 
any security property approvals, a new label will have no integrity relation to any 
other label, and in that case it cannot have any flow in or out without security 
property approval of a mayFlow. 

We argue that the only new groups needed are all the constant one-user 
groups. With no new labels, the only place new groups could be used would 
be to define new mayFlows. It might be that a “good” choice of group for a 
mayFlow would limit the number of new can-flow paths, and hence extended 
can flow paths, created. However, it suffices to consider constant groups that are 
as small as possible, and changing groups that have some relation (e.g., disjoint) 
to existing groups. For the second case, the groups must be in the same group 
set. (This argument is elaborated in [20].) 

We next extend the construction of SSo(sq) in Lemma 1 to construct a 
representation of SSa(so). In particular we must consider for each state whether 
there is a successor state which defines a new mayFlow. 

First add to each state the set of currently defined mayFlow permissions. The 
construction is similar to that in the lemma, with the addition that for each state 
and each currently undefined mayFlow (l a , lb) hr the state, we add a successor 
state which contains mayFlow(l a , 4) = r(l a ) if it can be done approvalessly. The 
determination of whether the mayFlow definition is approvaless can be done by 
Theorem 1. 

6 Conclusions 

In this paper, we have introduced a new access control model called Security 
Property Based Administrative Controls (SPBAC). A SPBAC system seeks to 
maintain security properties, such as confidentiality and integrity, by: 

— determining the effect on security properties of proposed (administrative) 
changes to the ordinary (non-administrative) part of the protection systems 
and 

— seeking appropriate administrative approvals for those security properties 
which are violated. 

An SPBAC allows selective violation of security properties, easy approval of 
changes which do not effect security properties, and localized (that is, dis- 
tributed) control of the system by different administrators. 

We believe, and give some evidence here, that the security properties violated 
in an SPBAC are exactly those that need reasoning about the trust placed in 
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individuals to perform sensitive functions. These are the issues that an admin- 
istrator should be thinking about when making changes to a system. 

For information flow, we show how the security properties we develop imple- 
ment Biba Integrity and Bell-LaPadula Confidentiality. We describe the design 
of such a system and its rationale, in particular a permission we call mayFlow 
and administrative groups associated with labels. 

We show that the properties needed to perform administrative controls are 
decidable: (1) That we can exactly determine information flows (can-flow path), 
(2) that we can tell what security properties are violated and hence what admin- 
istrative approvals would be necessary, and (3) we can determine all the flows 
that would be possible without violating any security property. 

Our proofs rely on a state space construction. However, the state space is 
needed only to perform exact analysis. For administrative approvals it is cer- 
tainly possible to tradeoff more approvals against much faster computation of 
the approvals requested. 

SPBACs security properties are decidable [20] in a domain where access 
control methods have historically not been - that is administrative controls. 
Moreover we believe, and give some evidence in this paper, that they are non- 
restrictive in the sense that they can represent all (or almost all) the relevant 
properties of one or more security properties. 
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Abstract. All security services rely to a great extent on some notion of trust. 
However, even today, there is no accepted formalism or technique for the specifi- 
cation of trust and for reasoning about trust. Secure systems have been developed 
under the premise that concepts like “trusted” or “trustworthy” are well under- 
stood, unfortunately without even agreeing to what “trust” means, how to mea- 
sure it, how to compare two trust values and how to combine two trust values. 
In this work we propose a new vector model of trust. Our model proposes the 
notion of different degrees of trust, differentiates between trust and distrust and 
formalizes the dependence of trust on time. We believe that our model will help 
answer some of the questions posed earlier. 



1 Introduction 

Confidentiality, integrity and availability of systems and information resources are in- 
creasingly becoming critical in our everyday life. To protect such resources it is impor- 
tant that we are able to determine the appropriate security policies. The notion of trust 
plays a critical role for the proper formulation of security policies. However, even today, 
there are no accepted formalisms or techniques for the specification of trust and for rea- 
soning about trust. Secure systems have been built under the premise that concepts like 
“trustworthiness” or “trusted” are well understood, unfortunately without even agreeing 
on what “trust” means, how to measure it, how to compare two trust values and how 
to compose the same. This creates a number of problems in building secure systems, 
particularly those that are composed from several different components. 

Consider, for example, the operational information base in a large corporation. Typi- 
cally, this is generated with the accumulation of information from several sources. Some 
of these sources are under the direct administrative control of the corporation and thus 
are considered trustworthy. Other sources are “friendly” sources and information orig- 
inating directly from them are also considered trustworthy. However, these “friendly” 
sources may have derived information from their own sources which the corporation 
does not have any first hand knowledge about; if such third-hand information is made 
available to the corporation, then the corporation has no real basis for determining the 
quality of that information. It will be rather naive for the corporation to trust this infor- 
mation to the same extent that it trusts information from sources under its direct control. 
Similarly not trusting this information at all is also too simplistic. Existing binary mod- 
els of trust (where trust has only two values, “no trust” and “complete trust” and which 
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are the ones most widely used in computer systems) will, nonetheless, categorize the 
trust value to one of these two levels. Existing trust models (even those that associate 
multiple levels to trust) do not provide satisfactory answers to questions such as: (i) 
What expectations can the corporation reasonably have about the usefulness of such in- 
formation? (ii) What are the activities that the corporation can expect such information 
to fulfill without much problem? (iii) What are the activities that the corporation does 
not want to fulfill using this information? 

The above observations prompt us to propose a new model of trust in which trust is 
defined as a vector of numeric values. Each element of the vector is a parameter in deter- 
mining the value of trust. We identify three such parameters in our model. We propose 
methods to determine the values corresponding to these parameters. Substituting values 
for each of these parameters in the trust vector provides a value for trust of a certain 
degree. To make the concept of different degrees of trust more intuitive, we associate a 
numeric value in the range [—1,1] with the trust vector. The value in the positive region 
of this range is used to express trust and that in the negative region is used to express 
distrust. Uncertainty about trust and distrust is expressed using the value zero. We de- 
fine operators to map a trust vector to a trust value within this range and also from a 
trust value to a trust vector. We investigate the dynamic nature of trust - how trust (or 
distrust) changes over time. Finally we observe that trust depends on trust itself - that 
is a trust relationship established at some point of time in the past will influence the 
computation of trust at the current time. We formalize this notion in our model. 

The rest of the paper is organized as follows: In section 2 we briefly describe some 
of the more important works in the area of trust models. In section 3 we present our 
model of trust. We begin this section with the definition of trust that we use in the rest of 
the work. We define the parameters that contribute towards a value for trust. In sections 
3.3, 3.4 and 3.5 we derive expressions to estimate each of these parameters. Then in 
section 3.6 we introduce the concept of normalized trust followed by, in section 3.7, the 
definition of the concept of value of trust. Section 3.8 deals with trust dynamics - the 
dependence of trust on time. In section 4 we define the dominance relation between two 
trust relationships that allow us to identify how two trust relationships compare. Finally 
section 5 concludes with a discussion of our future work. 



2 Related Work 

A number of logic-based formalisms of trust have been proposed by researchers. Al- 
most all of these view trust as a binary relation. Forms of first order logic [1-3] and 
modal logic or its modification [4] have been variously used to model trust in these 
cases. Simple relational formulae like A trusts B are used to model trust between two 
entities. Each formalism extends this primitive construct to include features such as 
temporal constraints and predicate arguments. Given these primitives and the traditional 
conjunction, disjunction, negation and implication operators, these logical frameworks 
express trust rules in some language and reason about these properties. Abdul-Rahman 
and Hailes [3] propose a trust model, based on “reputation” that allows artificial agents 
to reason about trustworthiness and allows real people to automate that process. Jones 
and Firozabadi [5] models trust as the issue of reliability of an agent’s transmission. 
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They use a variant of modal logic to model various trust scenarios. They also use their 
language to model the concepts of deception and an entity’s trust in another entity. 

Yahalom et al. [6, 7] propose a formal model for deriving new trust relationships 
from existing ones. In [6] the authors propose a model for expressing trust relations 
in authentication protocols, together with an algorithm for deriving trust relations from 
recommendations. In [7] rules and algorithms for obtaining public keys based on trust 
relationships are developed. Neither of these works define what is meant by trust. Beth 
et al. [8] extend the ideas presented by Yahalom et al. to include relative trust. This 
work proposes a method for extracting trust values based on experiences and recom- 
mendations and also a method for deriving new trust values from existing ones within 
a network of trust relationships. Jpsang [9-11] proposes a model for trust based on a 
general model for expressing relatively uncertain beliefs about the truth of statements. 
Trust is an opinion, which is expressed as a triplet < b,d,u >£ {b.d.u}. Here b, d, 
and u are respectively measures of one’s belief, disbelief, and uncertainty in a propo- 
sition. A major shortcoming of this model is that it has no mechanism for monitoring 
trust relationships to re-evaluate their constraints. Cohen et al. [12] propose an alterna- 
tive, more differentiated conception of trust, called Argument-based Probabilistic Trust 
model (APT). The most important use of APT is to chart how trust varies, from one user 
to another, from one decision aid to another, from one situation to another, and across 
phases of decision aid use. 

Xiong and Liu [13] present a coherent adaptive trust model for quantifying and com- 
paring the trustworthiness of peers based on a transaction-based feedback system. They 
propose three basic trust parameters - peer feedback through transactions, total number 
of transactions a peer performs, and credibility of the feedback sources. The authors ad- 
dress factors that influence peer-to-peer trust, like reputation systems and misbehavior 
of peers by giving false feedback. The authors also provide a trust metric for predicting 
a given peer’s likelihood of a successful transaction in the future. Purser [14] presents a 
simple, graphical approach to model trust. He points out the relationship between trust 
and risk and argues that for every trust relationship, there exists a risk associated with a 
breach of the trust extended. Trust relationships are modeled as directed graphs where 
trust is an unidirectional directed edge from the trusting entity to the trusted entity. The 
author includes context (to define scope of trust), associated confidence level, associated 
risk and transitivity value, Bacharach and Gambetta [15] embark on a re-orientation of 
the theory of trust. They define trust as a particular belief, which arises in games with 
a certain payoff structure. They also identify the source of the primary trust problem 
in the uncertainty about the payoffs of the trustee. According to the authors, the trustor 
must judge whether apparent signs of trustworthiness are themselves to be trusted. 

3 Our Model 

We adopt the definition of trust as provided by Grandison and Sloman [16]. 

Definition 1. Trust is defined to be the firm belief in the competence of an entity to act 
dependably , reliably and securely within a specific context. 

In the same work, Grandison and Sloman define distrust as the “lack of firm belief 
in the competence of an entity to act dependably, securely and reliably”. However, we 
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believe distrust is somewhat stronger than just “lacking a belief”. Grandison and Slo- 
man’s definition suggests the possibility of ambivalence in making a decision regarding 
distrust. We choose to be more precise and thus define distrust as follows. 

Definition 2. Distrust is defined as the firm belief in the incompetence of an entity to 
act dependably, securely and reliably within a specific context. 

Trust is specified as a trust relationship between a truster - an entity that trusts the 
target entity - and a trustee - the entity that is trusted. The truster is always an active 
entity (for example, a human being or a subject). The trustee can either be an active 
entity or a passive entity (for example, a piece of information or a software). We use 
the following notation to specify a trust relationship - (A — ^ /i)' v . We call this the 
normalized trust relationship. It specifies A’s normalized trust on it at a given time t for 
a particular context c. This relationship is obtained from the simple trust relationship 
- (A — — > B) t - by combining the latter with a normalizing factor. We also introduce 
a concept called the value of a trust relationship. This is denoted by the expression 
v(A — B)^ and is a number in [—1,1] that is associated with the normalized trust 
relationship. 

3.1 Trust Context 

A trust relationship between a truster, A, and a trustee, B, is never absolute [16]. Always, 
the truster trusts the trustee with respect to its ability to perform a specific action or 
provide a specific service. For example, an entity A may trust another entity B about 
the latter’s ability to keep a secret. However, this does not mean if A wants a job done 
efficiently, A will trust B to it. Similarly, if we want to compare two trust values, we 
just cannot compare two arbitrary trust values. We need to compare the values for trust 
which serves similar purposes. This leads us to associate a notion of context with a trust 
relationship. We begin by defining the notion of atomic purpose of a trust relationship. 

Definition 3. The atomic purpose of a trust relationship (A — ^ B) t is one of 

1. TS-1 The truster trusts a trustee to access resources that the truster controls. 

2. TS-2 The truster trusts the trustee to provide a service that does not involve access 
to the truster’s resources. 

3. TS-3 The truster trusts the trustee to make decisions on its behalf. 

The truster may also trust the trustee for some combination of these atomic pur- 
poses. For example the truster may trust the trustee to provide a service and make deci- 
sions. 

Definition 4. The purpose of a trust relationship is defined as follows. 

1. An atomic purpose is a purpose of a trust relationship. 

2. The negation of a purpose denoted by “not” purpose, is a purpose. 

3. Two purposes connected by the operator “and” form a purpose. 

4. Two purposes connected by the operator “or” form a purpose. 

5. Nothing else is a purpose. 
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We are interested in three aspects - dependability, security and reliability - of the 
trustee. Combining the concepts of trust purposes and trustee aspects, we define the 
notion of trust context as the interrelated conditions in which trust exists or occurs. For 
example, let a truster. A, trust a trustee, B’s dependability to provide a service and make 
a decision. The “dependability to provide a service and make a decision” is considered 
to be the trust context. Let S denote the set of trust purposes and the set of trustee 
aspects identified above. Then a trust context is defined as follows. 

Definitions. The context, c(T), of a trust relationship T is defined as a function that 
takes a trust relationship as an input and returns a sequence of tuples of the form < 
$1 ,ai > | < S2, | • where 

1. s, : S x S — > S and 

2. aj:JZxA->A 

3.2 Trust Evaluation 

We define a trust value in terms of a vector of numbers. Each element in the trust vec- 
tor represents a parameter that contributes towards the trust value. Before we formally 
define these trust parameters, we would like to point to two characteristics of trust (or 
distrust). The first is the dynamic nature of trust. Trust changes over time. Even if there 
is no change in the underlying factors that influence trust over a time period, the value 
of trust at the end of the period is not the same as that at the beginning of the period. 
Irrespective of our initial trust or distrust decision, over a period of time we gradually 
become non-decisive or uncertain about the trust decision. This leads us to claim that 
trust (and alternately distrust) decays over time - both tends towards a non-decisive 
value over time. 

The second characteristic is, what is often called th e propensity to trust [16]. Given 
the same set of values for the factors that influence trust, two trusters may come up 
with two different trust values for the same trustee. We believe that there are two main 
reasons for this. First, during evaluation of a trust value, a truster may assign different 
weights to the different factors that influence trust. The weights will depend on the 
trust evaluation policy of the truster. So if two different trusters assign two different 
sets of weights, then the resulting trust value will be different. The second reason is 
applicable only when the truster is a human being and is completely subjective in nature 
- one person may be more trusting than another. We believe that this latter concept 
is extremely difficult to model. We choose to disregard this feature in our model and 
assume that all trusters are trusting to the same extent. We capture the first factor using 
the concept of a trust evaluation policy vector, which is simply a vector of weight 
values. 

We begin by identifying three different parameters that influence trust values. 

Definition 6. The experience of a truster about a trustee is defined as the measure of 
the cumulative effect of a number of events that were encountered by the truster with 
respect to the trustee in a particular context and over a specified period of time. 

The trust value of a truster on a trustee can change because of the truster’s expe- 
riences with the trustee in the particular context. Each experience that can influence 
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the degree of trust is interpreted by the truster as either a trust-positive experience or a 
trust-negative experience. A trust-positive experience contributes towards a gain in trust 
degree whereas a trust-negative experience contributes towards a loss in trust degree. 

Definition 7. The knowledge of the truster regarding a trustee for a particular context 
is defined as a measure of the condition of awareness of the truster through acquain- 
tance with, familiarity of or understanding of a science, art or technique. 

The trust value of a truster on a trustee can change because of some knowledge 
that the truster comes to posses regarding the trustee for the particular context. Knowl- 
edge can be of two types - direct knowledge and indirect knowledge. Direct knowledge 
is one which the truster acquires by itself. It may be obtained by the truster in some 
earlier time for some purpose or, it may be a piece of information about the trustee 
for which the truster has a concrete proof to be true. Indirect knowledge, on the other 
hand, is something that the truster does not acquire by itself. The source of indirect 
knowledge is the reputation of the trustee in the context. The truster may get the idea 
about the reputation of trustee from various sources like reviews, journals, news bul- 
letin, people’s opinion etc. As with experience, we can have trust-positive knowledge 
and trust-negative knowledge. 

Definition 8. A recommendation about a trustee is defined as a measure of the subjec- 
tive or objective judgment of a recommender about the trustee to the truster. 

The trust value of a truster on a trustee can change because of a recommendation for 
the trustee. We can have a trust-positive recommendation and a trust-negative recom- 
mendation. Moreover, recommendation can be obtained by the truster from more than 
one source. 

To compute a trust relationship we assume that each of these three factors is ex- 
pressed in terms of a numeric value in the range [— 1 , 1], A -ve value for the component 
is used to indicate the trust-negative type for the component, whereas a +ve value for 
the component is used to indicate the trust-positive type of the component. A 0 (zero) 
value for the component indicates neither positive effect nore negative effect on the trust 
value. 



3.3 Evaluating Experience 

We model experience in terms of the number of events encountered by a truster. A, 
regarding a trustee, B in the context c within a specified period of time [fo,f„]. We assume 
that A has a record of the events since time to. An event can be either trust-positive or 
trust-negative depending whether it contributes towards a trust-positive experience or a 
trust-negative experience. 

Let N denote the set of natural numbers. The set of time instances {to, t \ , . . ., t„ } 
is a totally ordered set ordered by the temporal relation A (called the precedes-in-time 
relation) as follows: Vi, j £ N , t, A tj •<=> i < j. We use the symbol t, A tj to signify either 
tj A tj or tj = tj. Let also cy denote the k th event. Events happen at time instances. We 
define the concept event-occurrence-time as follows: 
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Definition 9. Event-occurrence-time ET is a function that takes an event e k as input 
and returns the time instance, tj at which the event occurred. Formally, ET : e k — > tj. 

We divide the time period [tQ,t„] over which the events have occurred into a set 
T of n intervals, [foVi], [hfo], ■ [?«— t ,?« ] such that for any interval [ti,tj], tj -< tj. 

A particular interval, [t k - tA], is referred to the k r/ ' interval. We extend the -< relation 
on T and the time intervals are also totally ordered by the -< relation as follows - 
Vi,j,k,l G N , [ tj,tj ] -< [t k .ti] <G> tj -< t k . Finally, the intervals are non-overlapping, that 
is, Vi,j,k,l G N, [ti,tj] n [t k ,ti] = (J). 

Definition 10. Let ‘L denote the set of all even ts. A sequence of events, Ce, is the set 
of events e\, e 2 , ■■■, e„, e ,■ G E, such thatVi,j, ET(ej) G [t k ,ti] -^ET(ej) G [t k ,ti\ and 
such that\/i,j G N , e, -< ej ££ i < j. 

Let P denote the set of all trust-positive events and Q denote the set of all trust- 
negative events (that is, £ = {PU Q}). We assign equal numeric weights to all events, 
trust-positive or trust-negative, within a given interval. Let v ki be the weight of the k ,h 
event in the i th interval. We assign a weight of +1 if an event is in the set P and -1 if the 
event is in the set Q. Thus, 



v ki = 




, if e k . G P 
, if e k . G Q 



Definition 11. The incidents corresponding to the i th time interval is the sum of the 
values of all the events, trust-positive or trust-negative for the time interval. It is given 
by h = v kj where >ij is the number of events occurred in the i th time interval. 

Typically, events far back in time does not count just as strongly as very recent 
events. To accommodate this we assign a non-negative weight vv,- to the i' h interval such 
that vv,- > Wy whenever j < i, i,j G N. We then define experience as follows: 

Definition 12. The experience of an entity A about another entity B for a particular 
context c, is the accumulation of all trust-positive and trust-negative events that A has 
with regards to B over a given period of time [tQ,t n ], scaled to be in the range [-1,1 ]. 



To ensure that the value of experience is within this range (- 1 , 1 ] we define the weight 
vv; for the i th interval as 



Wi = 



i 

S 



Vi = 1,2 where S = 



n(n+ 1) 
2 



( 1 ) 



Then the experience of A with regards to B for a particular context c is given by 



gk WiIi 






( 2 ) 



To illustrate our concept of experience we use the following example. We use the 
symbol “+” to denote positive events and the symbol to denote negative events. 
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Example 1. Consider the following happening of events over time period to - tj. 



to 



tl 



h 



t3 



t4 



ts 



tfi 



t? 



Time 



We divide the time period into the intervals - [to,tiL • • • [t 6 ,t 7 ]. Applying our theory, 
we have the following incidents: Io for interval [to,tj ] = +2, Ii = 0 , 12 = 0 , 13 = -2, 14 
= + 2 , 15 = -2 and Ig = + 2 . 

The weights assigned to each time interval are as follows - wo (for interval [to,ti ] ) 
= 0.04, wj = 0.07, wi = 0.11, W 3 = 0.14, W 4 = 0.18, W 5 = 0.21 and w 6 = 0.25 (for 
interval [t6,ty]. Thus the value for experience over the period [to,ty] is 0.00857. 

Example 2. Consider the second set of events over the same time period to - ty. 

to tl t 2 t3 u ts t6 t 7 

Time 



The difference between this set of events and the one in example 1 is that we have 
more negative events that have happened recently. The total number of trust-positive 
and trust-negative events are the same in both. We get a value of 0.00286 for experience 
with this set of events. 

3.4 Evaluating Knowledge 

The parameter, knowledge, is more difficult to compute and is, to some extent, subjec- 
tive. To begin with, each truster must define its own criteria for gradation of knowledge 
regarding a particular entity. To assign a value to the knowledge component, the truster 
must come up with two values between -1 and +1 for direct knowledge as well as in- 
direct knowledge or reputation. How the values are assigned, depends on the scheme 
and policy of the truster. Also the truster is solely responsible to assign the relative 
weights for these two types of knowledge. We represent this as, aKb = w\d + W 2 r, 
where d, r £ [— 1 , 1 ] and w\ +wj = 1 ■ d and r are the values corresponding to direct 
knowledge and reputation respectively. The weights W| and W 2 are determined by the 
underlying policy where uy € [0, 1] Vi = 1 , 2 . 

The truster needs not have values for both the components. That is, there may be 
situation where either d = 0 or r = 0. A may not have any knowledge at all about B in 
the context. For these types of cases, where the truster does not have any information 
regarding the trustee in the context c, we assign ,4 Kjj = 0 where ‘0’ represents ‘no 
knowledge’ about B in context c. This is the situation when both d and r are zero. 

3.5 Evaluating Recommendation 

An initial recommendation, Vr, is a value in the range [-1,1] that is provided to the 
truster by the recommender. To assist the recommender in generating this value, the 
truster provides a questionnaire to the recommender. The recommender uses the pos- 
itive range to express his faith in the trustee while uses the negative range to express 
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his discontent. If the recommender has no conclusive decision, he uses a zero value for 
recommendation. 

Now, a truster A will often have a trust relationship with the recommender R. The 
context of this trust relationship will be to act “reliably to provide a service (recom- 
mendation, in this case)”. This trust relationship will have an effect on the value of the 
recommendation provided by the recommender. For example, let us say that A trusts 
R to quite a great extent to provide an appropriate recommendation for B but does not 
trust C as much as R. R provides a recommendation value of -0.5 to A and C also pro- 
vides the same recommendation value. To A, R’s -0.5 value will have more weightage 
for computing the trust value on B than C’s, although A will consider both the values. To 
model this scenario we use the trust of the truster on the recommender as a weight factor 
to the initial recommendation value returned by the recommender. We had introduced 
the expression v(A — /i)] v earlier in section 3 to denote the value of a normalized 
trust relationship. This is a value in the range [—1.1]. We use the absolute value of this 
value as the weight factor. At this stage we do not specify how we generate this value. 
We leave that to a later section. At this stage we express the recommendation cRb of a 
recommeder C for an entity B to the truster A as cRb = |v(A —> C)^\Vr. 

Finally, the truster A may get recommendations about the trustee B from many dif- 
ferent recommenders not just one. Thus the recommendation value that the truster uses 
to compute the trust in the trustee is specified as the sum of all recommendations scaled 
to the range [—1,1]. This is given by the equation 



Z} =l \v(A^>j)?\.Vj 

T j= MA^jf\ 



where, ¥ is a group of n recommenders. 



(3) 



3.6 Normalization of Trust Vector 

Having determined the values for each component of the trust vector we specify the 
simple trust relationship between the truster A and the trustee B in a context c as (A — 
B)t = [a^b^a K'b-\\i R'ii] 

As mentioned earlier in section 3.2, a truster may give more weight to one of the 
parameters than other in computing a trust relationship. For example, a truster A may 
choose to lay more emphasis on experience than recommendation in computing trust. 
Or for example, a truster may be quite sceptical regarding recommendations about the 
trustee. In that case the truster may want to consider the recommendation factor to 
a lesser extent in computing trust than experience and knowledge about the trustee. 
Which particular component needs to be emphasized more than the others, is a matter 
of trust evaluation policy of the truster. The policy is represented by the truster as a trust 
policy vector. 

Definition 13. The trust policy vector, W is a vector that has the same dimension as 
the simple-trust vector. The elements are real numbers in the range [0, 1] and the sum 
of all elements is equal to 1. 
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The normalized trust relationship between a truster A and a trustee B at a time t and 
for a particular context c is given by 

(A — B)? = W© (A — B) t (4) 

The © operator represents the normalization operator. Let (A — > B) t = [4 E B , A K B , 
be a trust vector such that A E B , A K B , yR c B £ [—1,1]. Let also W = [W e , Wk , W r \ be 
the corresponding trust policy vector such that W e + Wk + W r = 1 and W e ,Wk,W r £ [0,1]. 
The © operator generates the normalized trust relationship as 

(A -U B)? = W© (A -U B) t 

= [W e , W k , W,]Q[aE c Bi a K b , yR c B ] 

= [W e - A E L B , W k - A E C B , W r -yR c B ] 

= [ AEg , A K b , 

It follows from above that each element A E B , A K B , , v R' n of the normalized trust 
vector also lies within [— 1 , 1 ]. 

3.7 Value of the Normalized Trust Vector 

So far we have defined a trust relationship in terms of a vector which is normalized by 
a trust policy. Recall, however, from section 3.5 that there is at least one scenario in 
which we need to use a trust value as a weight for a real number (namely recommen- 
dation). Thus it seems appropriate to define the concept of a value corresponding to the 
normalized trust vector. Moreover, although we had previously argued against using a 
single value for trust, there is a big advantage of using a single value. A single value is 
more intuitive than a vector. In the next section we also show how such a single value 
helps us in assessing the dynamics of trust. 

Definition 14. The value of a normalized trust relationship (A — B)f = [ A E B , A K B , 
is a number in the range [— 1 , 1 ] and is defined as 

v(A B)? = A E C B + A t B + yR] C B (5) 

Having defined the value for a trust relationship we revise the terms “trust” and 
“distrust” as follows: 

1. If the value, T, of a normalized trust relationship is such that 0 < T < 1 then it is 
trust. 

2. If the value, T, of a normalized trust relationship is such that — 1 <T <0 then it is 
distrust. 

3. If the value, T, is 0 then it is neither trust nor distrust. 

3.8 Trust Dynamics 

Trust (and distrust) changes over time. Let us suppose that we have initially computed 
a trust relationship T,. at time © based on the values of the underlying parameters at 
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that time. Suppose now that we try to recompute the trust relationship T tn at time t„. 
We claim that even if the underlying parameters do not change between times r, and t „ , 
the trust relationship will change. This change of trust over time is often called trust 
dynamics. 

To model trust dynamics we refer to the old adage - Time the great healer. The 
general tendency is to forget about past happenings. This leads us to claim that trust (and 
distrust) tends towards neutrality as time increases. Initially, the value does not change 
much; after a certain period the change is more rapid; finally the change becomes more 
stable as the value approaches the neutral (value = 0) level. Also we assert the following: 

lim \{T t ) = 0 

t—^oo 




Fig. 1. Graph Showing the Nature of Trust Dynamics 



How fast trust (or distrust) will decay over time, is, we believe, dependent on the 
truster’s policy. The truster may choose to forget about trust relationships which are 3 
years old or 5 years old. The model cannot dictate this. Our goal is to provide a basis by 
which the truster can at least estimate, based on the truster’s individual perception about 
this, the trust at time t n . We further believe that trust relationship at present time is not 
only dependent on the values of the underlying parameters, but also on the “decayed” 
value of the previous trust. We discuss this in more details in the next section. 

Let v(7J ; ), be the value of a trust relationship, T tj , at time tj and v(7J n ) be the decayed 
value of the same at time t„. Then the time-dependent value of T tj is defined as follows. 

Definition 15. The time-dependent value of a trust relationship T tj from time tj, com- 
puted at present time t n , is given by 

v(T tn ) = v(T ti )e~^W 2k ( 6 ) 

where At = t n — tj and k is any small integer > 1. 
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The value of k determines the rate of change of trust with time and is assigned 
by the truster based on its perception about the change. If At = 0 that is at t n = tj, 
e - ( v ( 7 ’ , ;) Af ) = I and hence v(7) n ) = v(7], j. When Ar — > °°, then e~^ T ' A A —> 0 and 
hence v(7J n ) — > 0. This corroborates the fact the time-dependent value of the last known 
trust value is asymptotic to zero at infinite time. 

To obtain the trust vector T tn at time t n , we distribute the value \{T tn ) obtained in 
equation (6) evenly over the components. The rational behind this is that between f, 
and t n we do not have sufficient information to assign different weights to the different 
components. Thus we have the time-dependent vector as 

T = AllA 1 

tfi L O 5 o 5 o -I 



3.9 Trust Vector at Present Time 

As indicated earlier, the trust of a truster A on a trustee B in a context c at time t n 
depends not only on the underlying components of the trust vector but also on the trust 
established earlier at time tj. Consider for example that at time f, Alice trusts Bob to 
the fullest extent (value = 1 ). At time t n Alice re-evaluates the trust relationship and 
determines the value to be -0.5 (distrust). However, we believe that Alice will lay some 
importance to the previous trust value and will not distrust Bob as much as a -0.5 value. 
So, the normalized trust vector at t n is a linear combination of time-dependent trust 
vector and the normalized trust vector calculated at present time. The weight Alice will 
give to old trust vector and present normalized trust vector is, again, a matter of policy. 
However, this leads us to refine the expression for normalized trust vector at time t„ as 
follows. Let T be the time-dependent trust vector derived from v(T t .) at time t n . Also, let 
a and (3 are the weights corresponding to present normalized vector and time-dependent 
vector, respectively. 

Definition 16. The normalized trust relationship between a truster A and a trustee B at 
time t„ in a particular context c is given by 




The ® operator is defined as follows. 



[ A E c B , A k^R c B }®[ 



v(f) v(f) v(f) 



]=a-[ A E c B , A k^R c B } + ^ 



A?) v(f) v(f) 



— [oc • aE C b + P — ■ a • A&B + P ■ a ' + P ' 



where a, P e [0, 1] and a + p = 1 . 
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4 Comparison Operation on Trust Vectors 

In many real life scenarios we need to determine the relative trustworthiness of two 
trustees. Consider the following example. Suppose entity A gets two conflicting pieces 
of information from two different sources B and C. In this case A will probably want 
to compare its trust relationships with entities B and C and accept the information that 
originated from the “more” trustworthy entity. This lead us to define a comparison op- 
erator on trust relationships. 

Let T = [A — B)f and T' = (A — c —> C)? be two normalized trust relationships - 
between A and B, and between A and C respectively - at a particular time t. We have 
the following definition. 

Definition 17. Two trust relationships , T and T' are said to be compatible if the trust 
relationships have been defined under the same policy vector and the context c(T) for 
the trust relationship T is the same as the context c(T') for T' , that is c(T) = c(T'). 
Otherwise the two trust relationships are called incompatible. 

Note that to determine if two trust relationships are compatible or not we do not 
make any assumptions about the truster and the trustee involved in the relationships nor 
about the time instances of the relationships. In order to be able to compare the two 
trust relationships T and T' from above it has to be the case that the two contexts c and 
c are the same. 

The most intuitive way to compare two trust relationships T and T' is to compare 
the values of the trust relationships in a numerical manner. Thus for A to determine the 
relative levels of trustworthiness of B and C, A evaluates v(A B)f and v(A — C)f. 
Ifv(A-^B)f' > v(A — — > C); v , then A trust B more than C in the context c. We say that 
T dominates T' , given by T >- T' . 

However, if v(A — ^ B)f = v(A — ^ C)f, A cannot judge the relative trustworthiness 
of B and C. This is because there can be two vectors whose individual component values 
are different but their scalar values are the same. For such cases we need to compare 
the individual elements of the two trust relationships to determine the relative degree of 
trustworthiness. 

Let (A B)? = \ A E C B , a K c b , yit c B ] and (A -U C)f = [ A Ef, A kf, v /q] such that 
v(A = v(A — — > C)f . Let also the underlying trust policy vector be given by 

W = (wi, >V 2 , wf) where w\ +W 2 + >V 3 = 1 and w, > 0 Vi = 1,2,3. To determine the 
dominance relation between T and T' we first determine the ordered trust relationships 
T corresponding to T. 

Definition 18. The ordered trust relationship 7 is generated from a trust relationship 
T as follows: 

1. Order the w\ ’s in the trust policy vector corresponding to T in descending order of 

magnitude. 

2. Sort the components of the trust vector T according to the corresponding weight 

components. 
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We compare the two ordered trust relationships T and f', corresponding to T and T' , 
componentwise to determine the dominance relation between the two. Note that we 
assume that the same underlying trust policy vector has been used to determine the trust 
relationships. If the first component of T is numerically greater than the first component 
of T' then T >- T' . Else if the first components are equal then compare the second 
components. If the second component of T is greater than the second component of T' 
then T y T' , and so on. If we cannot conclude a dominance relation between the two 
trust relationship, then we say that the two trust relationships are incomparable. This is 
formalized by the following definition. 

Definition 19. Let T and T' be two trust relationships and T and T be the corre- 
sponding ordered trust relationships. Let also 1) and T- represent the i th component 
of each ordered trust relationships and Wj represent the i ,h weight component in the 
corresponding trust policy vector. T is said to dominate T' if any one of the following 
holds. 

1. v(T) > v(r'); or 

2. iff i,j, i ( Wj = Wj) then V i, 7} > T(; or _ 

3. if 3 i,Tj > T] and for k = 0...(i— 1), 7/_* T[_ k 

Otherwise T is said to be incomparable with T' . 



5 Conclusions and Future Work 

In this paper we introduce a new model of trust which we term the vector model. Trust 
is specified as a trust relationship between a truster and a trustee at a particular time 
instance and for a particular context. We identify three parameters namely, experience, 
knowledge and recommendation that contribute towards defining this trust relationship. 
We propose expression for evaluating these factors. Next we introduce the concept of 
normalized trust. We show how to factor in a notion of trust policy in computing the 
trust vector. We also model the notion of trust dynamics, that is the change of trust 
with time. Incorporating all these different notions we finally provide an expression 
to compute a trust vector that also includes the effect of a previous trust relationship 
between the same truster, trustee in the same context. We also define ways by which we 
can compare two trust vectors. 

To our knowledge our model is the first to (1) formally differentiate between trust 
and distrust, (2) address explicitly the contributions of different factors towards forma- 
tion of a trust relationship, (3) explore and formalize the dynamic nature of trust and 
(4) address the influence of a previous trust relationship in computing the current trust 
relationship. A novel feature of our model is that it is easily adaptable if the under- 
lying parameters are changed to include more than the current three parameters (the 
parameters all need to be orthogonal to each other.). 

A lot of work remains to be done. We are currently extending this model to define 
trust combination operators so that we can formulate the trust relationships between 
many trusters and many trustees beginning with simple trust relationships between one 
truster and one trustee as in this work. We also plan to formalize the notion of trust 
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chains in the context of our model. In the current work we have not addressed the issue 
of determining trust policy. We have assumed that there is an underlying trust policy 
that helps us assign weights to the various components of the model. How to assign 
these weights? What will be an appropriate guideline for that? These are some of the 
issues we will address in future. This will be followed by a formal language to manage 
and manipulate trust relationships. We are looking towards an SQL like language for 
this purpose. Finally we plan to develop a complete trust management framework based 
on our model. 
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Abstract. We describe an approach to sensor-based authentication that 
can adapt to accommodate incomplete, unreliable, or inaccurate input 
provided to the system. Parameterized Authentication moves beyond the 
traditional approach to security by acknowledging that identity verifi- 
cation cannot always produce perfect results. Our model addresses such 
inherent imperfections by introducing a metric, the Authentication Pa- 
rameter, that captures the overall “quality” of authentication. We define 
authentication “quality” in terms of sensor trustworthiness and the ac- 
curacy of sensor measurements. Using the Authentication Parameter, we 
are able to enforce and enhance the principle of least privilege by ensur- 
ing that the authentication process provides credentials that are sufficient 
but not stronger than the access level required by the requested opera- 
tion. This approach is particularly well-suited to meet the demands of 
a context-aware and pervasive computing environment in which authen- 
tication may be performed using passive and non-intrusive techniques. 
Our model supports the transparent capture of authentication-relevant 
information from the environment and provides a foundation for gener- 
ating dynamic credentials for sources of requests. We present our model, 
discuss its contributions, and illustrate how it can be used to support 
rich access control policies. 



1 Introduction 

Authentication is a fundamental building block in any system that enforces 
a security policy; it enables “principals” to identify themselves to the system 
and provides a foundation for access control. For the purposes of this paper, the 
principals we consider are users, though their attributes such as location, role, or 
history may also be relevant in authorization decision-making. All authentication 
schemes follow the same basic approach: known identification information about 
a principal is compared with information received from the source claiming to be 
that principal. Authentication is successful if both pieces of information match; 
however, authentication failure will result if a match cannot be produced. 

Pervasive computing environments strive to provide transparent access to re- 
sources and services. For example, the Aware Home [1], a prototype “home of the 
future” that has been built at Georgia Tech, is exploring a variety of emerging 
applications that range from remote appliance management (e.g., Cyberfridge 
[2]) to “awareness” and the active-monitoring of each resident’s activities and 
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needs. The prototype home has a rich computation and communication infras- 
tructure and will eventually be connected to other homes and institutions in the 
community. A variety of sensors are used to infer the activities of the home’s res- 
idents and various applications use this information to help improve the quality 
of life for residents. 

Clearly, the assumption that a principal’s identity can be verified with ab- 
solute certainty is impractical in real world scenarios, even when explicit inter- 
action is required. The Aware Home is an example of an environment in which 
sensors will be used for user identification and verification purposes. Homeown- 
ers are forced to balance authentication quality with financial limitations and 
a tolerance for being inconvenienced. For example, the Smart Floor [3] is cur- 
rently being deployed into the Aware Home despite its less-tlran-perfect accuracy 
because it is non-intrusive and easy-to-use. 

Non-binary authentication could be used to limit the damage that may result 
from an erroneous authentication. We have designed a model that can be used 
to produce an authentication measure from incomplete, unreliable, or inaccurate 
identification information that is provided by a set of sensors. We accomplish 
this by providing a quality measure for authentication. In addition, we provide a 
method for computing an authentication value by combining inputs from multi- 
ple sources; by reinforcing authentication and forming a consensus, our authen- 
tication framework is more robust and than those that rely on a single source 
for authentication. We refer to this approach as parameterized authentication. 

This paper is organized as follows: Section 2 presents related work. In sec- 
tion 3, we discuss the various logical components that comprise our model, iden- 
tify a set of design principles that guide the development of our model, and 
introduce the Authentication Parameter. Sect. 4 details our approach to man- 
aging trust and accuracy in the system and illustrates how these measures are 
used to produce the Authentication Parameter. We revisit our design principles 
in section 5 to discuss how well our model meets these principles. We discuss 
several outstanding issues and related research contributions in section 6. 

2 Related Work 

Our approach to computing an Authentication Parameter (AP) value makes use 
of techniques that have been explored in diverse research areas, including dis- 
tributed authentication, sensor matching and fusion, and trust and reputation 
management. In this section, we introduce relevant background material neces- 
sary for understanding the research contributions described in the remainder of 
this document. 

Distributed Authentication. In sensor-based authentication, identification infor- 
mation is collected from multiple sensors that may be trusted to different degrees. 
In distributed system environments that span multiple trust domains, authenti- 
cation may rely on certificates that are issued by certification authorities (CAs) 
that also have different levels of trust associated with them. Several researchers 
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have explored such models where an authentication measure based on the trust 
level of the CAs is derived. Beth et al. [4] present a model where trust can be 
combined from multiple CAs. Reiter and Stubblebine [5] explore the design prin- 
ciples that must be followed by such a model. Maurer [6], Jpsang [7] and others 
have explored additional techniques to compute an authentication metric based 
on paths or chains of CAs that are used for authentication. These techniques 
primarily focus on trust of the relevant CAs and do not address accuracy of 
identification information. 

Sensor Matching and Fusion. In interactive intelligent environments such as the 
home, biometric technologies are often used to obtain user identification with 
minimal explicit input. Unfortunately, many of the biometric devices widely 
available today cannot guarantee very high quality identification. This is typ- 
ically a result of noise that interferes with sensor readings, limitations of the 
processing methods or the variability in both the biometric characteristic as well 
as its presentation [8]. For instance, biometric device test reports [9, 10] discuss 
biometric sensors that can be easily defeated, including a fingerprint sensor that 
can misinterpret imprints in a Gummi Bear candy as a valid fingertip scan and 
a vision system that can be defeated by a photograph of an authorized user. 
Such weaknesses in biometric technology create opportunities for an impostor 
to “mimic” the actions of a legitimate user and, in essence, trick the system into 
believing that they are someone else. 

Sensor fusion refers to the combining of multiple identification “inputs” in 
order to produce a single identification metric. For example, one research group 
has recently incorporated speaker identification and speech recognition systems 
with a person tracking system to accurately locate a speaker and identify the 
speaker and what they are saying [11]. This form of sensor fusion yields a more 
reliable metric in case of uncertainty from an individual seusor. In addition to 
combined input, sensor fusion allows the system to reason about the fidelity of 
the composite information. This measure can be used to enhance the strength 
of the authentication service. 

Despite the “stronger” authentication results produced through sensor fusion, 
they still do not reflect the overall quality of the authentication process. Instead, 
the results are binary, thus allowing the user to either receive all access rights 
or none at all. Parameterized authentication provides a more novel approach 
by incorporating a notion of trust (in individual sensors) into the authentica- 
tion process and, ultimately, providing a metric that indicates the quality of the 
authentication process. This metric can be used to adjust the level of authenti- 
cation. For instance, a user can be authenticated into a role that is based on the 
strength of her identification, thus ensuring that a user is never allowed to have 
more access than the evidence provided by them for authentication. 

Trust and Reputation Management. Trustworthiness is often viewed as the ex- 
pectation of cooperative behavior and can be based on previous experiences with 
the same party. However, it is often necessary to evaluate the trustworthiness 
of an entity without having any prior direct interactions. In such situations, a 
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participant can place trust based on the latter’s “reputation” among others in 
the system. This approach bases reputation on the collection of evidence that 
supports certain claims of good or bad behavior. In parameterized authentica- 
tion, reputation or sensor trustworthiness can be based on whether a sensor’s 
input led to correct authentication or a breach of security. 

eBay and other similar Internet communities are practical examples of repu- 
tation management systems. On eBay’s site, for example, sellers receive feedback 
(+1, 0, —1) for their reliability in an online auction. Reliability is computed using 
the feedback values that are collected over a period of several months. 

In similar work, Kamvar et al. [12] describe a trust-based algorithm that 
identifies malicious entities in a peer-to-peer environment and isolates them from 
the network. Their reputation system, called EigenTrust, identifies inauthentic 
files on a network and even handles conditions where malicious peers cooperate 
in an attempt to deliberately compromise the system. Likewise, work by Beth et 
al. [4] presents a method for the valuation of trustworthiness based on experiences 
and recommendations. 

The mathematical foundations for reputation management are firmly rooted 
in probability and statistics. Our work draws heavily from Bayesian statistics in 
which a mechanism for combining evidence is presented. 



3 System Model 

Our model for parameterized authentication is based on information obtained 
from a distributed network of sensors. The model is composed of the follow- 
ing logical components: users, sensors, a user-attribute database, an attribute- 
matching service, a trust analysis engine, an audit service and the authentica- 
tion service. A high-level overview of our adaptive authentication architecture is 
given in figure 1. In the following sections, we detail the functionality of these 
components and describe how they interact with one another. 

3.1 Users 

Our approach to user authentication assumes an open-world model in which 
there exist two classes of Users - those that are “known” (identifiable) by the 
system, and those that are not. A user is defined by a collection of traits, or 
properties, that are either non-intrusively captured by sensors or explicitly pro- 
vided as input to the system. While some users may have similar traits, it is the 
collection of properties that define a user. By definition, no two collections are 
equal. Our model can make use of four fundamental trait types: physiological, 
knowledge-based, object-based and historical. 



3.2 Sensors 

Our system model consists of distributed sensors that collect identity information 
that is ultimately provided to an authentication service. Sensors are mechanisms 
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Fig. 1. Overview of Authentication Model 



designed to observe and capture user-specific traits from the environment. Some 
sensors require explicit user participation to complete the capture, while others 
are less intrusive and can record information without the user’s knowledge or 
active participation. These sensors observe user traits and forward relevant values 
to the authentication service where the information is interpreted and used to 
authenticate users. For example, in figure 1, sensor <Sjv provides a measured value 
of trait Xt- 

Our authentication framework gathers information from a variety of sensors 
to infer user characteristics. Examples of sensor technologies being deployed 
into the Aware Home include the Smart Floor, vision systems (ranging from 
facial recognition to movement sensors) and voice-recognition. Such sensors can 
non-intrusively gather user information, albeit less-tlran-perfect, from the envi- 
ronment. 



3.3 User- Attribute Database 

We assume the existence of a user-attribute database that maintains, for each 
user in the system, a collection of traits that define that user. We can think of the 
traits for user u as a t-dimensional trait vector x u , where x u = (x u \,x u 2 , . . . , x u t). 
In the Aware Home, trait vectors are used to create profiles for each user of the 
Smart Floor. Traits, in this scenario, are derived from a biomechanics measure 
known as the ground reaction force (GRF). The trait vector consists of ten 
footstep profile features that are later used to match unknown footsteps against 
user’s configured in the database. 
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3.4 Attribute-Matching Service 

The Attribute-Matching Service is responsible for collecting and assembling a 
trait vector from sensor output, and then computing accuracy by comparing the 
assembled trait vector with the stored definition for a user. If a collection of 
sensors assemble a trait vector y, it can be compared directly to the associated 
values stored in x to determine how well the observed features match those 
stored in the system. 

3.5 Trust Analysis Engine 

We define trust as a measure of the system’s confidence in a particular sensor; 
it reflects the quality of the information provided by a given sensor in the sys- 
tem. Clearly, this measure can only be refined over time, through a series of 
experiences that are recorded with the sensor. 

We have identified three possible outcomes that can result from an authenti- 
cation process. Positive user identification captures instances in which the cor- 
rect user is identified or in which an unauthorized user is prevented from obtain- 
ing credentials from the system. A denial of service results when a legitimate 
user is prevented from being authenticated due to malicious tampering with 
sensors or authentication data. Similarly, a compromise has taken place when a 
user obtains credentials belonging to another user. Any interaction that leads 
to a denial of service or a system compromise is considered to be a negative 
experience and the trust measures that contribute to a negative experience are 
subsequently degraded. Likewise, the system attempts to reinforce positive ex- 
periences by assigning higher trust values to sensors that consistently provide 
data to the authentication service which leads to correct authentication. 



3.6 Audit Service 

On-line scrutiny of all authentication decisions may not be possible for a number 
of reasons. Therefore, selective authentication decisions may be logged to enable 
subsequent off-line examination. For example, if a security violation is detected, 
a log can be used to reconstruct the sequence of interactions that led up to the 
violation. This would allow the system to revise the experience values associated 
with the sensors that contributed to the incorrect authentication; instead of con- 
tributing to a positive experience, the sensors would receive a negative rating for 
the interaction. In addition, the audit service would be responsible for processing 
log information to produce feedback that is sent to the Trust Analysis Engine. 
This feedback is used to maintain evolving trust values for each of the sensors. 

3.7 Authentication Service 

The authentication service receives input from the Trust Analysis Engine and 
the Attribute-Matching Service that is combined to derive the Authentication 
Parameter. The output from this service is based on input supplied by one 
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or more sensors. We identify a set of useful design principles that guide the 
derivation of an Authentication Parameter from the information received. 

Principle 1: Accuracy of a sensor. Accuracy measures the similarity between 
a stored trait value and the value of a trait observed by a single sensor. The 
accuracy measure should address the need for normalized results so comparisons 
can be made. 

Principle 2: Evolution of Trust through experience. Trust is a measure of con- 
fidence held by the authentication service in a particular sensor; it represents a 
reputation that is established through consistent behavior and observed over a 
series of experiences, both positive and negative. Trust should increase slowly to 
allow reputation to build between the authentication service and sensor. Like- 
wise, once negative experiences are detected, trust should decrease quickly to 
defeat malicious or compromised sensors that attempt to improve their reputa- 
tion through a short-run of positive performance. 

Principle 3: Combining Trust and Accuracy. When trying to determine a 
user’s authenticity, the authentication service analyzes input provided by each 
sensor. The authentication service forms an opinion by taking sensor input and 
adjusting it to reflect the current level of trust associated with each sensor. This 
opinion, generated for each sensor, should reflect both certainties and uncertain- 
ties with regard to user identity, giving both trust and accuracy important roles 
in generating the opinion. 

Principle f: Consensus of Opinions. Once a set of individual opinions have 
been collected, they must be combined to generate the authentication parame- 
ter. When sensor opinions are in agreement, certainty should increase. Conflicts 
in opinion should be indicated through increased lack of confidence in the au- 
thentication decision. 

Principle 5: Evaluation order independence. The derived conclusions of the 
model, namely the Authentication Parameter, should be independent of the 
order in which sensor input is considered. This principle allows additional sensor 
inputs to be factored into an Authentication Parameter that has already been 
computed. 

Principle 6: Property dependence and feedback. The value of the model’s 
trust and accuracy parameters should impact the feedback cycle in which trust 
is recomputed and returned to the system. 

Principle 7: Robustness. The authentication parameter should be designed 
to be resilient to long-term manipulation of its model by misbehaving entities, 
and its sensitivity to various forms of misbehavior should be made explicit. 



4 Deriving the AP 

The authentication service builds an authentication opinion by collecting input 
from one or more sensors with information relevant to the current user or request. 
An opinion is formed for each source of input and has two measures that impact 
its outcome. The first measure, accuracy , measures the similarity between a 
user trait that is observed by a sensor and the value of the same trait that is 
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stored in a user signature. The second measure, trust , represents the reputation 
a sensor has with the authentication service; it measures consistency between 
past results and the output of an individual sensor. In this section, we further 
describe accuracy and trust and show how they can be combined to produce the 
Authentication Parameter. 

4.1 Accuracy 

In our model, accuracy is defined as a similarity measure between a stored trait 
value and an observed trait value. When a sensor provides input to the system, 
that input data is compared with stored identity data to determine if a match 
exists. In order to account for variations between stored and observed data, a 
perfect match is not always required by the system. The closeness or quality of 
a match, therefore, is reflected in the accuracy value. 

In order to assess how well an observed trait x° matches a stored trait X s , 
we consider a distance measure d(x°,x s ) such that 

,, 0 s\ _ / large when x°,x s => mismatched traits 
’ ' ) small when x°,x s =>■ similar traits 

The most obvious measure of similarity (or dissimilarity) between two mea- 
surements is the distance between them. Similarity and distance measures have 
been explored in a variety of domains (e.g., [13, 14] and can be used to compare 
one or more identifying features. Some comparison studies exist among similarity 
measures and indicate that different similarity measures perform best when cou- 
pled with the appropriate set of attributes. Clearly, the method for computing 
accuracy is implementation-specific. 

An example of accuracy measurements being used in the Aware Home can 
be found in the Smart Floor. In modeling each individual’s footsteps, the Smart 
Floor designers chose ten footstep profile features to use as markers in an overall 
user profile. References are made to a combination of user, foot, and shoe type 
as a condition (e.g., “Joe’s left foot while he was wearing tennis shoes”). One 
instance of a user’s footstep constitutes one cluster of data in a training set. 
This cluster is then used to calculate a Euclidean distance from an unidentified 
footstep. The identity of the cluster with the lowest average distance is chosen 
as the identity of the unknown footstep. 

There are many approaches for computing distances in order to obtain an 
accuracy measure. Some instances will require that the attribute-matching ser- 
vice produce a distance measure between only two points. Other instances will 
require that a collection of identifiers or traits be used in the computation. For 
instance, a vision-based sensor will attempt to collect a series of traits that are 
combined to produce a single user identifier. This collection forms a vector that 
is compared with one stored by the system. Other sensors will produce more 
primitive output that will require less intensive comparisons. 

4.2 Trust 

The authentication service, when taking input from multiple sensors, may be pre- 
sented with conflicting information that could either represent a compromised 
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sensor, a failed sensor or a malicious agent trying to access the system. We make 
use of techniques from Bayesian statistics to derive and maintain the trust met- 
rics for individual sensors. Bayes’ theorem is based on the subjective definition 
of probability as “degrees of belief.” This approach assigns probabilities to hy- 
potheses, allowing for the combination of a priori judgments and experimental 
information. Trust, as defined in our model, is not a static value; it involves a set 
of uncertainties that are refined over time through experiences and interactions. 
This makes Bayesian logic a natural mechanism for evolving trust values in our 
model. 

After defining the initial hypothesis and the associated probability for each 
sensor, Bayes’ approach attempts to refine trust by calculating the effect of a 
correlated event on the original hypothesis. Our model focuses on an event E 
that captures the outcome of an authentication experience. We define E to be a 
binary event that is either positive or negative. The experience is positive if the 
sensor produces output that is correct (e.g., correctly identifies a user) and is 
negative if the sensor produces output that is incorrect (e.g., identifies an intruder 
as a known, authorized user). We then compute the following probability using 
Bayes’ theorem, where T is the hypothesis or current trust value, and E is the 
value of the experience: 



P(T\E) 



P(E\T) ■ P{T) 

P{E\T) ■ P(T) + P{E\—T) ■ P(pT) 



If the event is positive then P(E\T) = P(+E\T) which is defined to be a, 
where a is the accuracy associated with the reading. Likewise, for a negative 
experience, P(E\T) = P{—E\T) which is defined to be (1 — a). 

Similarly, we define P(E\-<T) in terms of the experience. If the experience 
is positive we define P(+E\->T) = a. If the experience is negative we define 
P(—E\-vT) = (1 — a). The value for P(E\->T) reflects the probability that a 
(positive/negative) event will occur, even when the sensor is not trustworthy 
(e.g., when the hypothesis is invalid). The value for a is predetermined and 
indicates a lower-bound threshold for untrusted activity. Our model assumes 
that a compromised sensor will provide some positive experiences as it attempts 
to evade detection and exclusion. A high value for a implies that when a sensor 
is compromised, its malicious behavior will be caught quickly and it will no 
longer be used in authentication decisions. Thus, if a compromised sensor wants 
to damage the system over a longer period of time, it must limit incorrect results 
that it provides and behave more like a good sensor. 

Once P(T\E) is computed, it provides a revised trust value for a given sensor. 
This updated measure replaces the current trust value, P(T), and is used in fu- 
ture refinements under the Bayes approach. We previously defined Design Princi- 
ple 6 in which we detailed a “feedback cycle” for recomputing trust and returning 
it to the system. Our approach to evolving trust by computing P(T) = P(T\E) 
provides this essential feedback cycle and allows us to react accordingly when 
sensors malfunction or misbehave. 

In practice, determining the quality of E is difficult. We currently rely on 
both consensus results and an out-of-band audit analysis to determine the quality 
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of an experience. For instance, if multiple sensors produce output for a single 
authentication request and a majority of those sensors support a similar user 
profile, those in the minority will be flagged as providing a negative experience. 
Likewise, if an out-of-band audit log review determines that a compromise has 
occurred, the sensors that contributed to the false authentication will have their 
trust values degraded through a negative experience. 

Furthermore, evaluating and revising T after every authentication event may 
be impractical or impossible. If a sensor is overwhelmed with incoming authen- 
tication requests, recomputing T after each one may slow response time. Fur- 
thermore, it is difficult to determine the quality of an experience in real-time as 
the system may require information from outside sources (e.g., audit logs). 

Using our function for trust evolution, the trust after n experiences (t n ), out 
of which k are positive and in are negative, can be written as follows. The base 
trust value to is assigned to each individual sensor by the security administrator. 

(nli at)) -to 

t n = r 

(IL=1 o») • (n;=i(l - aj)) ■ to + a k ■ (1 - a) m ■ (1 - t 0 ) 

4.3 Authentication Parameter 

Jpsang defines a framework for artificial reasoning called Subjective Logic [7] that 
consists of a belief model called opinion space. Subjective Logic was developed 
to mathematically describe and manipulate subjective beliefs; it is an extension 
of standard logic that uses continuous uncertainty and belief parameters instead 
of only discrete truth values. We have used the Subject Logic framework for 
Parameterized Authentication as it provides a foundation for the handling of 
uncertainties and the forming of conclusions based on insufficient evidence. 

Similar to Jpsang’s approach, we assume that knowledge about the world 
(obtained through a sensor) is never perfect and it may be impossible to verify 
a user’s identity with absolute certainty. Given this imperfect knowledge, it is 
impossible to know authoritatively whether a user has been properly identified, 
so a sensor can only have an opinion about the observation. For a single opinion 
about a user’s authentication, we assume that 

b + d + u = 1, {b, d, u} € [0, 1] 

where b, d, and u represent belief, disbelief and uncertainty respectively. A situa- 
tion in which there is zero uncertainty is equivalent to the traditional probability 
model. 

Our method for assigning values to the {b, d, w}-tuple differs from that pro- 
posed by Jpsang. His approach involves mapping the opinion space to an evidence 
space that consists of a probability certainty density function. Our evidence 
space, however, consists of trust and accuracy measures obtained from sensors. 
Therefore, we let u> x = {b Xl d x ,u x } be a single sensor’s opinion about the au- 
thentication of user x. We now define u> x as a function of trust and accuracy 
measures that have been obtained from the sensor: 




286 Michael J. Covington et al. 



^ X 



b x = t ■ a 
d x = t ■ (1 - a) 
u x = (1 - t) 



Here, t is a measure of trust for the sensor that is providing the authentication 
data and a is the accuracy of the observed trait. Our definition for to x makes it 
clear that belief and disbelief are functions of both accuracy and trust, whereas 
uncertainty results from the lack of trustworthiness. For example, belief will be 
high only when both match accuracy and sensor trust are high. 

Subjective Logic contains several different operations, with the most relevant 
to our work being consensus. A consensus opinion consists of combining two or 
more independent opinions about the same proposition (e.g., “The user’s identity 
as Bob can be verified”) into a single opinion. 

The Authentication Parameter is found in the final lo x after consensus has 
been computed for all relevant opinions. The value of interest is the b x that 
reflects the overall belief in the user’s authenticity based on input from multi- 
ple sensors. However, this value alone is insufficient to describe the quality of 
authentication. The entire {6, d, wj-tuple is retained for a variety of reasons, in- 
cluding the addition of supplemental input through the consensus operation and 
the comparison of results. 



5 Validation 

Ideally, validation is done by using actual sensors deployed in a real environment 
in which users are authenticated based on sensor-obtained data. Unfortunately, 
we currently do not have access to such an infrastructure. We discuss the validity 
of our approach by examining how well it met the original design principles that 
were presented by us in section 3.7. 

Design Principle 1: Accuracy of a Sensor. The accuracy measure we define is 
the distance measure between an observed trait and a stored trait. The open 
method presented in section 4.1 to compute authentication accuracy meets the 
guidelines presented in our model’s design principles. We do not restrict the 
design of an accuracy function and acknowledge that implementations will vary 
widely depending on the sensor technology being used. 

Design Principle 2: Evolution of Trust Through Experience. The following fig- 
ures (figure 2 for positive experiences and figure 3 for negative experiences) 
demonstrate how trust evolves for various sensor “types” as experiences are en- 
countered over a period of time. In figures 2 and 3, a sensor is defined with an 
initial trust value of t = 0.9, a sensor reading rated with accuracy a = 0.9, and 
an administrative a- value set to a = 0.6. The solid line in the plot shows how 
trust changes when experiences are encountered with the sensor. Likewise, the 
dotted line shows a similar evolution process for trust with a lower setting of the 
initial trust value. 

As illustrated through these figures, trust is slow to build and quick to de- 
grade. These results follow in line with the expectations set forth in the second 
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design principle. These properties allow for trust reputation to build over time, 
while quickly punishing any malicious or compromised components. 

Figure 4 provides a look at trust evolution when both positive and negative 
experiences are encountered in a single sensor. The solid line illustrates how trust 
is increased when a series of 5 consecutive positive experiences are encountered 
and, subsequently, how trust is quickly degraded when it is followed by 5 consec- 
utive negative experiences. The dotted line shows how trust is decreased during 
the time period when a random collection of experiences occur (e.g., an equal 
number of alternating positive and negative experiences) . As above, these prop- 
erties remain consistent with our design principles: trust is slow to build, quick 
to fall, and our model always errs on the side of caution - random experiences 
reflect an inconsistency with the sensor and cause trust to degrade. 




Blocked +/- Exp 
Alternating +/- Exp 



Fig. 4. 10 Alternating Positive/Negative Experiences 



Design Principle 3: Combining Trust and Accuracy. By utilizing the Subjective 
Logic framework, our model is capable of describing and manipulating subjective 
beliefs, or sensor opinions. Our evidence space is comprised of the trust values 
maintained for each sensor and the accuracy of the each sensor output. 

The consensus operation described in section 4.3 allows for the combination 
of two independent opinions. Clearly, an opinion consists of more than just trust 
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and accuracy. By generating belief, disbelief and uncertainty values, the resulting 
tuple reflects a multitude of information that could not be conveyed with a single 
value. Combining trust and accuracy in this manner reflects both certainties and 
uncertainties, without placing any undue weight or emphasis on a particular 
component of the model. These properties are aligned with the design principles 
that govern the combination of trust and accuracy. 

Design Principle f: Consensus of Opinions. Using Jpsang’s model for consen- 
sus [7] we can compute how an authentication parameter is effected when more 
sensors are used to compute an authentication decision. A “good” sensor is one 
with a high trust, or belief, value. A “bad” sensor is one that has low trust 
and high distrust. With both sensor types, uncertainty results from the lack of 
perfect trust in sensors and perfect accuracy from their readings. 

The results from the consensus operation are consistent with design principle 
4 in that certainty only goes up when the majority of opinions are in agreement. 
Any conflicts or increased disbelief cause a decline in confidence and, as a result, 
a lowering of the belief value in the authentication parameter. 

Design Principle 5: Evaluation Order Independence. The fifth design principle 
can be validated by showing that order does not matter in evaluating trust. In 
section 4.2, we demonstrated that the trust after n experiences can be expressed 
as a function, with k positive and in negative experiences. This approach enables 
us to produce a trust value that is based on multiple experiences and computed 
in any order. Since trust is based on the collection of experiences, regardless of 
order, this design principle applies to our model and ensures that trust can be 
computed efficiently. 

Design Principle 6: Property Dependence and Feedback. Our approach for man- 
aging trust using Bayesian statistics takes into account current trust values and 
accuracy readings. In addition, the model provides a feedback loop that eval- 
uates the quality of an experience and incorporates this into an evolving trust 
value. By allowing trust parameters to evolve and accuracy readings to impact 
feedback cycles, our model is protected from misbehaving and malfunctioning 
sensors. 



Design Principle 7: Robustness. This design principle aims to produce a resilient 
authentication parameter that is not subject to long-term manipulations by mis- 
behaving entities. Figure 5 shows the result of a consensus operation that has 
been performed by one form of misbehavior - a “random,” or inconsistent, sen- 
sor. In this example, a random sensor is defined as one with an initial trust value 
of t = 0.5 and an accuracy reading of a = 0.5. These values yield a “random 
opinion” of: 

( b x = t ■ a = 0.25 



^ X 



d x = t ■ (1 — a) = 0.25 
u x = (l-t) = 0.50 



Our future research will focus on building a more robust model for parameter- 
ized authentication. We intend to extend this work by investigating outstanding 
issues such as the impact of byzantine adversaries on our model. 
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Number of Random Sensors 



Belief/Disbelief 

Uncertainty 



Fig. 5. 10 Random Sensors forming Consensus 

As indicated in the figure, uncertainty decreases as more random sensors 
contribute an opinion to the authentication process. However, the randomness of 
the sensors results in an equal, but slow, rise of belief and disbelief values. Given 
the relatively low accuracy and trust values associated with a random sensor, 
the consensus operation does not allow these sensors to have a significant impact 
on the overall AP that results. In fact, the AP value does not increase beyond 
0.5 even when many sensors are polled. 

6 Discussion 

We have introduced the concept of Parameterized Authentication and detailed 
the process for computing a measure that captures the overall quality of an 
authentication process. In this section, we present some noteworthy aspects of 
parameterized authentication that did not receive sufficient discussion in previ- 
ous sections. 

6.1 Authentication Paradigms and Historical Data 

We believe that the use of historical state information would supplement and 
enhance the accuracy of a security subsystem. In essence, we propose an authen- 
tication cache that would allow authentication decisions to be based on identifi- 
cation information currently stored in the system. Traditional implementations 
of caching technology were able to store often-requested information at the edge 
of the network, therefore speeding up site performance and lowering connection 
costs. Given the overwhelming success of caching, we propose that similar tech- 
nology be applied to the security services in interactive environments such as 
the home. 

Such a cache would pull user identification information from sensors in the 
environment and use it when making future access control decisions. For exam- 
ple, in the Aware Home users will be identified using a number of devices and 
technologies. Suppose that Alice swipes a smart card in order to gain access to 
the house via the front door. As she enters, a camera is able to identify her with 
86% accuracy and the Smart Floor is able to track her movements and maintain a 
positive identification as she moves throughout the house. When Alice attempts 
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to access a restricted resource, the system is able to use all of the historical state 
information, including the data obtained via the smart card’s key signature, the 
camera, and the Smart Floor, to obtain a positive identification, and therefore 
an accurate authentication, for Alice , a legitimate resident and authorized user 
of the resource. 

To our knowledge, the use of historical information in security-related deci- 
sions has never been included as an enhancement to the overall system. Instead, 
historical data has been viewed as stale and inconsequential because security 
parameters and policies are subject to dynamic change and variability. However, 
in the case of the Aware Home and other computationally rich environments, 
historical data can offer something that is highly desirable - more timely and 
efficient access to critical information. In addition, historical information can act 
as a supplement in cases where the current or active data set is inaccurate or 
incomplete. 

6.2 Authentication Refinement 

Other authentication services, such as Kerberos [15], enforce session limits that 
force tickets or credentials to expire after a specified period of time has elapsed. 
We provide a mechanism to enforce similar session limitations, but use a method 
of enforcement that compliments our model for parameterized authentication. 
Since the user credential, or AP, is actually a consensus of input from multiple 
sources that could potentially be collected over a period of time, credentials 
cannot simply timeout. Also, it may be desirable to have a credential based on a 
lower AP value expire before one that was based on more reliable sensor input. 

To address these concerns, our model provides a decay function that decrease 
the authentication value over time to enforce session limits and ensure the au- 
thenticity of user credentials. The effect of this decay on an AP’s value can be 
modeled using a decay function /(n) such that the AP decreases after some 
specified time has passed; the rate of decay should increase as more time passes. 
Higher AP values (e.g., those based on more trustworthy or accurate sensor in- 
puts) are typically more reliable than lower AP values. After t time-periods, the 
AP value will be equal to y. This approach guarantees that access to restricted 
resources is provided only to users with sufficient authentication credentials that 
are current, accurate and trustworthy. 

6.3 Application Scenario 

To best illustrate our approach, we have built a secure implementation of Au- 
dioIM, an instant messaging (IM) application in the Aware Home, that uses 
parameterized authentication. AudioIM is one member of a family of applica- 
tions [16] that are being used to explore how technology can enhance distributed 
conversation among family and close friends. Similar to text-based IM, which is 
used in the office to start semi-synclrronous talks, AudioIM extends IM into 
the home with a touchscreen interface and audio messaging. AudioIM strives to 
provide instant messaging services where desktops are not suitable. 
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In order to identify users interacting with the system, the original AudioIM 
application provides a password verification scheme. The login component re- 
quires the user to authenticate herself with a username and password combina- 
tion. This approach uses a desktop-centric authentication model for an applica- 
tion that was designed specifically for pervasive computing environments. 

The enhanced application no longer requires the user to explicitly provide 
login information. Instead, a request to access a restricted function triggers the 
authentication service to collect identification information from the appropriate 
sensor (s) in the home. Consider an example in which the AudioIM application is 
physically located near a Smart Floor and a computer vision system. The Smart 
Floor’s output identifies the user as Alice with an accuracy reading of 90%. The 
second sensor also identifies the user as Alice but with an accuracy of 85%. 
Using this identification information and previously established trust values, the 
authentication service generates an opinion for each sensor. If the Smart Floor 
and vision system each had a trust value of 0.9 prior to this experience, the 
following sensor opinions are computed using our approach described in 4.3. 

[6 = 0.81 [6 = 0.765 

WFioor = < d = 0.09 and ^vision = < d = 0.135 
[ u = 0.1 [u = 0.1 

These results are then used to obtain the value of the consensus operation 
WFioor © ^vision- In this example, the resulting consensus has a belief value 

6 = 0.829. If this authentication parameter of 83% is sufficient to meet the 
requirements of the access control policy, no explicit communication is necessary 
to obtain user credentials. Furthermore, if the authentication of Alice is deter- 
mined to be correct, each sensor’s trust value will be recomputed to incorporate 
this positive experience. 

7 Conclusion 

We have introduced a new model for user authentication and have described how 
it can be used to secure dynamic applications in pervasive computing environ- 
ments. The major benefit provided by this authentication model is its ability to 
provide quantitative measure for an authentication parameter when faced with 
incomplete, inaccurate or unreliable information. 

We introduced the concept of parameterized authentication and have illus- 
trated how it can allow continued functionality in a damaged, compromised or 
fundamentally inaccurate system. Furthermore, our authentication scheme is not 
limited by being binary in nature - users who cannot be fully authenticated by 
the system may still be given access rights based on their role and the level of 
confidence the system has in their identification. 

Our notion of parameterized authentication provides a metric, the authenti- 
cation parameter, that is based on trust and accuracy values associated with each 
authentication sensor and the output provided by those sensors. The authenti- 
cation parameter is used to provide knowledge of the authentication process to 
an authorization service as a single, well-understood metric. We have presented 
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several design principles that guided the design of our model and have used those 
principles to evaluate the model itself. 

Our ongoing work focuses on improving the model for parameterized authen- 
tication. This includes further refinement of the robustness design principle, an 
exploration of session management in pervasive computing environments, and 
the design of a more timely feedback cycle. 
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Abstract. Key distribution is one of the most challenging security issues 
in wireless sensor networks where sensor nodes are randomly scattered 
over a hostile territory. In such a sensor deployment scenario, there will be 
no prior knowledge of post deployment configuration. For security solu- 
tions requiring pairwise keys, it is impossible to decide how to distribute 
key pairs to sensor nodes before the deployment. Existing approaches to 
this problem are to assign more than one key, namely a key-chain, to 
each node. Key-chains are randomly drawn from a key-pool. Either two 
neighboring nodes have a key in common in their key-chains, or there 
is a path, called key-path, among these two nodes where each pair of 
neighboring nodes on this path has a key in common. Problem in such 
a solution is to decide on the key-chain size and key-pool size so that 
every pair of nodes can establish a session key directly or through a path 
with high probability. The size of the key-path is the key factor for the 
efficiency of the design. This paper presents novel, deterministic and hy- 
brid approaches based on Combinatorial Design for key distribution. In 
particular, several block design techniques are considered for generating 
the key-chains and the key-pools. 

Comparison to probabilistic schemes shows that our combinatorial ap- 
proach produces better connectivity with smaller key-chain sizes. 



1 Introduction and Problem Definition 

In this work, we consider a sensor network in which sensor nodes need to com- 
municate with each other for data processing and routing. We assume that the 
sensor nodes are distributed to the target area in large numbers and their lo- 
cation within this area is determined randomly. These type of sensor networks 
are typically deployed in adversarial environments such as military applications 
where a large number of sensors may be dropped from airplanes. 

In this application, secure communication among sensor nodes requires au- 
thentication, privacy and integrity. In order to establish this, there must be a 
secret key shared between a pair of communicating sensor nodes. Because the 
network topology is unknown prior to deployment, a key pre-distribution scheme 
is required where keys are stored into ROMs of sensors before the deployment. 
The keys stored must be carefully selected so to increase the probability that 
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Fig. 1 . A Wireless Sensor Network 



two neighboring sensor nodes have at least one key in common. Nodes that do 
not share a key directly may use a path where each pair of nodes on the path 
shares a key. The length of this path is called key-path length. Average key-path 
length, is an important performance metric and design consideration. Consider 
sample sensor network given in Figure-1. Assume that only sensor nodes a and 
b does not share a key. Nodes a and c can establish secure communication where 
the key-path length is 1. Node c and b also have key-path length of one. How- 
ever, nodes a and b can only use the path a-c-b to communicate securely with 
key-path length of two. 

The common approach is to assign each sensor node multiple keys, randomly 
drawn from a key-pool , to construct a key-chain to ensure that either two neigh- 
boring nodes have a key in common in their key-chain, or there is a key-path. 
Thus the challenge is to decide on the key-chain size and key-pool size so that 
every pair of nodes can establish a session key directly or through a path. Key- 
chain size is limited by the storage capacity of the sensor nodes. Moreover, very 
small key-pool increases the probability of key share between any pair of sensor 
nodes by decreasing the security in that, the number of the keys needed to be 
discovered by the adversary decreases. Similarly, very large key-pool decreases 
the probability of key share by increasing the security. 

Eschenauer et al. in [14] propose a random key pre- distribution scheme where 
tens to hundreds of keys are uploaded to sensors before the deployment. In their 
solution, initially a large key pool of P and the key identities are generated. For 
each sensor, k keys are randomly drawn from the key-pool P without replace- 
ment. These k keys and their identities form a key- chain which is loaded in to 
the memory of the sensor node. Two neighboring nodes compare list of identities 
of keys in their key-chain. Since only the identities are exchanged, this process 
can take place without any privacy mechanism. Eschenauer et al. also propose 
to employ Merkle Puzzle [20] similar approach to secure key identities. After key 
identity exchange, common key(s) are used to secure the link in between two 
sensor nodes. It may be the case that some of the neighboring nodes may not be 
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able to find a key in common. These nodes may communicate securely through 
other nodes, through other secured links. Chan et al. in [6] propose a modifi- 
cation to the basic scheme of Eschenauer et al. They increase the amount of 
key overlap required for key-setup. That is, q common keys are needed instead 
of one to be able to increase the security of the communication between two 
neighboring nodes. In [33], common keys in the key-chains are used to establish 
multiple logical paths over which threshold key sharing scheme is used to agree 
on a new secret. 

Random-pairwise key scheme in [6] is a modification of the pairwise key 
scheme. It is based on Erdos and Renyi’s work; to achieve probability p of any 
two nodes are connected, in a network of n nodes, each node needs to store 
only a random set of rip pairwise keys instead of n — 1. Slijepcevic et al. [24] 
propose that each sensor node shares a list of master keys, a random function 
and a seed. Every sensor uses shared random function and shared seed to select 
a network wise or group wise master key. In [3, 18], polynomial-based key pre- 
distribution protocol proposed for group key pre-distribution. In [19], polynomial 
pool-based key pre-distribution is used for pairwise key establishment. For each 
sensor, random or a grid based pre-distribution scheme is used to select set of 
polynomials from a pool. 

In [2], Blom proposes a A-secure key pre-distribution system where a public 
matrix P and a private symmetric matrix S over a finite field GF(q) is used. 
Rows of the matrix A = ( S.P) T is distributed to users. Blom’s scheme is a 
deterministic scheme where any pair of nodes can find a common secret key. Du 
et al. in [9] use Blom’s scheme with multiple spaces to increase resilience. In [10], 
Du et al. first model node deployment knowledge in a wireless sensor network 
and then develop a key pre-distribution scheme based on this model. 

In [23, 30, 11, 12, 7, 5, 34] a network architecture where there are one or more 
base-stations is considered. These base-stations are considered as powerful in 
resource and sensor nodes are clustered around them. Each sensor node shares 
a key with each base-station to secure sensor node to base-station and base- 
station to sensor node unicast communication. Authentication mechanism for 
the broadcasts from base-station to sensor nodes is addressed in [23, 11, 12, 17, 
7]. They propose modified versions of TESLA where a verifiable key, which is 
used to encrypt a message, is disclosed later then the message broadcasted. 

1.1 Our Contributions and Organization of This Work 

The main contribution of this work is the deterministic and hybrid approaches 
to the key distribution problem. In particular, we bring in a novel construction 
methodology from Combinatorial Design Theory to address this problem. Al- 
though there are some applications of Combinatorial Designs in cryptography 
[26-28], and in network design [32,29], best to our knowledge this work is the 
first to apply design theory to key distribution. Our analysis indicate that de- 
terministic approach has strong advantages over the randomized ones since it (i) 
increases the probability that two nodes will share a key, and (ii) decreases the 
key-path length. 




